CVE-2025-54766
BaseFortify
Publication date: 2025-07-29
Last updated on: 2025-11-03
Assigner: KoreLogic
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xorux | xormon | to 1.8.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-648 | The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54766 is a vulnerability in Xorux's XorMon-NG product (version 1.8 and earlier) where an API endpoint intended only for web application administrators is accessible by lower-level read-only users. This endpoint allows exporting the appliance configuration as an encrypted archive, but due to improper access control and a default encryption password "undefined", authenticated read-only users can download and decrypt this archive. The decrypted data contains sensitive information such as password hashes and cloud credentials in plaintext, which attackers can use to escalate privileges and gain unauthorized access. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with read-only access to export and decrypt sensitive configuration data, including password hashes and cloud credentials. The attacker can potentially crack password hashes to escalate privileges to administrator level and gain unauthorized access to the web application and associated cloud infrastructure, leading to data breaches and control over critical systems. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the vulnerable API endpoint with a read-only user account and checking if the configuration export is accessible. A suggested command is a crafted curl request using a valid session cookie to download the encrypted configuration export. For example: curl -b 'session_cookie=your_valid_cookie' https://<target>/api/export-config -o export.tar.gz.gpg. Then, attempt to decrypt the archive using GPG with the default password "undefined" to verify if sensitive data can be extracted. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the XorMon-NG product to version 1.9.38 or later, where access to the export endpoint is properly restricted to administrators only. Until the upgrade can be applied, restrict read-only user access to the vulnerable API endpoint and monitor for any unauthorized export attempts. [1]