CVE-2025-57784
BaseFortify
Publication date: 2026-01-26
Last updated on: 2026-02-18
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hiawatha-webserver | hiawatha | 11.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authentication timing attack in the Tomahawk administrative shell of the Hiawatha webserver version 11.7. It arises because the authentication mechanism uses the `strcmp` function, which can leak timing information. A local attacker can exploit this timing difference to gain unauthorized access to the management client of the webserver. [1]
How can this vulnerability impact me? :
This vulnerability allows a local attacker to bypass authentication and access the management client of the Hiawatha webserver. This unauthorized access could enable the attacker to execute administrative commands, manage clients, ban or unban IPs, view server status, and potentially disrupt or control the webserver operations. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a timing attack on the Tomahawk authentication in Hiawatha webserver version 11.7. Detection can be approached by monitoring for unusual or unauthorized access attempts to the Tomahawk administrative shell. Using the Tomahawk shell commands, you can check current bans, clients, and request logs to identify suspicious activity. Suggested commands include: 'show clients' to view connected clients, 'show requests' to monitor HTTP requests if enabled, and 'show bans' to review banned IPs. Additionally, monitoring logs for exploit attempts or abnormal authentication patterns may help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting local access to the Tomahawk administrative shell to trusted users only, as the vulnerability allows local attackers to gain management access. Use the Tomahawk commands to ban suspicious IP addresses ('ban <ip> [<time>]'), kick unauthorized clients ('kick <id|ip|all>'), and clear counters or cache if needed. Ensure strong passwords are set for administrator authentication. Additionally, disconnect all administrators and reset sessions if suspicious activity is detected using 'disconnect_admins()' functionality. Monitoring and limiting idle timeouts can also reduce risk by auto-logging out inactive sessions. [1]