CVE-2025-46067
Privilege Escalation via Malicious JS in Automai Director
Publication date: 2026-01-12
Last updated on: 2026-01-12
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| automai | director | 25.2.0 |
| automai | director | to 25.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-259 | The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-46067 is a high-risk vulnerability in Automai Director versions prior to 25.2.0 that allows a remote attacker to escalate privileges and obtain sensitive information by exploiting hard-coded credentials embedded within the application. These static authentication values enable attackers to bypass normal authentication mechanisms without prior privileges or user interaction, potentially leading to unauthorized access and data compromise. [2]
How can this vulnerability impact me? :
This vulnerability can allow remote attackers to gain unauthorized access to Automai Director systems by bypassing authentication, leading to privilege escalation and exposure of sensitive information. Exploitation may result in impersonation of legitimate users or services, unauthorized data disclosure, data manipulation, and potential lateral movement within connected systems, thereby compromising system integrity and confidentiality. [2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update Automai Director to version 25.2.0 or later, as the issue has been fixed in this release. Additionally, review and remove any hard-coded credentials in your deployment to prevent unauthorized access. Follow vendor guidance and apply any available patches promptly. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows remote attackers to escalate privileges and obtain sensitive information by exploiting hard-coded credentials, leading to unauthorized data disclosure and potential data manipulation. Such unauthorized access and data breaches can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to sensitive information and mandate protection against unauthorized disclosure. Therefore, this vulnerability poses a risk to maintaining compliance with these standards. [2]