CVE-2025-54765
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-29

Last updated on: 2025-11-03

Assigner: KoreLogic

Description
An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to import the appliance configuration, allowing an attacker to control the configuration of the appliance, to include granting themselves administrative level permissions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-29
Last Modified
2025-11-03
Generated
2026-05-07
AI Q&A
2025-07-29
EPSS Evaluated
2026-05-05
NVD
CVE-2025-54765
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xorux xormon to 1.8.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-648 The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Xorux's XorMon-NG web application version 1.8 and earlier, where an API endpoint intended only for administrators is hidden but accessible by read-only users. This endpoint allows importing appliance configurations. An attacker with read-only access can export the device configuration, modify it to elevate their privileges by adding themselves to the admin group and changing their read-only status, then re-import the modified configuration. The import/export process uses GPG encryption with a default symmetric passphrase "undefined," making it easy for attackers to decrypt and re-encrypt the configuration files. By exploiting this, the attacker can escalate their privileges from read-only to administrator. [1]


How can this vulnerability impact me? :

This vulnerability can allow an attacker who has only read-only access to the web application to escalate their privileges to administrator level. This means the attacker can gain full control over the appliance configuration, potentially changing settings, granting themselves or others administrative permissions, and compromising the security and integrity of the system. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection involves checking if the vulnerable API endpoint for importing appliance configurations is accessible by read-only users. You can monitor web application traffic for requests to the configuration import API endpoint, especially those involving tar.gz.gpg files and WebSocket requests with the passphrase "undefined". Commands to detect this might include using network traffic analysis tools like tcpdump or Wireshark to filter HTTP or WebSocket traffic to the API endpoint, or using curl or similar tools to test access to the import API with a read-only user session. Specific commands are not provided in the resources. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade Xorux's XorMon-NG web application to version 1.9.38 or later, which patches this vulnerability. Additionally, restrict access to the vulnerable API endpoint to administrators only and review user permissions. Further remediation instructions are available at https://xormon.com/note190.php. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart