Karl.Fail

Tag: score:10.0

  • CVE-2025-31324: Critical File Upload Vulnerability in SAP NetWeaver Visual Composer

    Overview

    CVE-2025-31324 exposes a critical vulnerability in SAP NetWeaver Visual Composer development server, specifically in the Metadata Uploader component. The flaw enables unauthenticated attackers to upload malicious binaries without proper authorization, resulting in potential full compromise of the host system.

    Technical Details

    This vulnerability arises due to a missing authorization check (CWE-434: Unrestricted Upload of File with Dangerous Type). The Metadata Uploader allows file submissions without verifying the origin or privileges of the request. Consequently, an attacker can send specially crafted executable files over HTTP, leading to remote code execution, data breaches, or system outages.

    CVSS Score and Vector

    • Base Score: 10.0 (Critical)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
    • Impact: High (Confidentiality, Integrity, Availability)

    Affected Product

    • SAP NetWeaver (Visual Composer development server), Version: VCFRAMEWORK 7.50

    Mitigation and Recommendations

    SAP has issued security patches addressing this vulnerability in its April 2025 Security Patch Day. Organizations using affected systems should:

    • Apply the latest SAP patches immediately.
    • Restrict network access to the Visual Composer development server.
    • Audit access logs for signs of unauthorized file uploads.
    • Review and enforce strict authorization policies on all upload mechanisms.

    Active Exploitation

    Reports confirm that this vulnerability is under active exploitation in the wild. Security teams should treat this as a high-priority incident and verify whether their environments show any indication of compromise.

    For further details, consult the following resources:

  • Critical Privilege Escalation in Argo Events via EventSource and Sensor CR (CVE-2025-32445)

    Overview

    CVE-2025-32445 reveals a critical security flaw in Argo Events, an event-driven workflow automation framework for Kubernetes. The vulnerability allows users with limited privileges to escalate access and gain control over the host system and the entire Kubernetes cluster.

    Technical Details

    The issue arises from the way EventSource and Sensor custom resources (CRs) are handled. Users with permission to create or modify these resources can manipulate the spec.template and spec.template.container fields—based on the k8s.io/api/core/v1.Container type.

    This means arbitrary container properties, such as command, args, securityContext, and volumeMount, can be specified. By crafting malicious CRs, an attacker could launch pods with elevated privileges, enabling host-level access and control over the cluster.

    The vulnerability is categorized under CWE-250: Execution with Unnecessary Privileges. It demonstrates how insufficient restriction on customization of Kubernetes resources can expose systems to severe privilege escalation risks.

    Severity and CVSS

    According to the CVSS 3.1 scoring system, this vulnerability has a base score of 10.0 (Critical), indicating maximum severity. The CVSS vector is:

    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
    • Confidentiality, Integrity, Availability: High

    This indicates a low barrier to exploitation with a highly impactful result, making immediate remediation essential.

    Affected Versions

    This vulnerability affects all versions of Argo Events prior to v1.9.6. The issue has been fixed in version 1.9.6, which introduces stricter controls around custom resource specifications.

    Recommendations

    • Upgrade to Argo Events v1.9.6 or later immediately.
    • Review user permissions for EventSource and Sensor CRs to ensure only trusted users can modify them.
    • Audit existing CR definitions for signs of abuse or unexpected configurations.

    Conclusion

    CVE-2025-32445 exemplifies how misconfigured permissions and overly flexible resource definitions in Kubernetes environments can lead to critical privilege escalation. Organizations using Argo Events should treat this vulnerability as a high-priority security concern and act swiftly to secure their clusters.

    More details can be found in the official advisory: GitHub Security Advisory

  • CVE-2025-29813: Critical Privilege Escalation in Azure DevOps Server

    Overview

    On May 8, 2025, Microsoft disclosed CVE-2025-29813, a critical elevation of privilege vulnerability affecting Azure DevOps Server. The vulnerability has been assigned a maximum CVSS score of 10.0, indicating its severity and potential impact. This flaw allows an unauthorized attacker to gain elevated privileges over a network through an authentication bypass mechanism.

    Technical Details

    The vulnerability is categorized under CWE-302: Authentication Bypass by Assumed-Immutable Data. This class of vulnerability arises when systems trust data that is presumed immutable—such as identity claims or tokens—without adequate verification. In the context of Azure DevOps Server, the system failed to validate these identity claims properly, enabling attackers to spoof identities and escalate their privileges.

    The root cause lies in the handling of spoofable identity claims. Attackers who can craft these claims and inject them into a session may assume elevated roles or access levels that should not be available to them. Since the vulnerability is network-exploitable and does not require user interaction or prior authentication, it significantly raises the risk profile.

    What Is CVSS 3.1?

    The Common Vulnerability Scoring System (CVSS) provides a standardized method for rating the severity of security vulnerabilities. In this case, the vulnerability scored 10.0 (CRITICAL) under CVSS 3.1. The vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H breaks down as follows:

    • AV:N – Attack vector is network-based
    • AC:L – Low attack complexity
    • PR:N – No privileges required
    • UI:N – No user interaction
    • S:C – Scope change occurs
    • C:H/I:H/A:H – High impact on confidentiality, integrity, and availability

    These factors combine to reflect a worst-case scenario for enterprise environments relying on Azure DevOps Server.

    Impacted Systems

    The vulnerability affects all versions of Microsoft Azure DevOps Server as no specific version was excluded in the disclosure. This includes self-hosted installations that may not benefit from automatic security patches.

    Recommended Mitigations

    • Apply official patches or updates released by Microsoft as soon as they become available.
    • Audit identity and access management policies to detect unusual privilege escalations.
    • Monitor network traffic for signs of spoofed identity tokens.
    • Restrict access to Azure DevOps interfaces from untrusted networks.

    Conclusion

    CVE-2025-29813 exemplifies the critical risks posed by improperly validated authentication data. Enterprises using Azure DevOps Server must act swiftly to mitigate this vulnerability and reinforce trust boundaries in their identity systems.

    For more details, see Microsoft’s official advisory: CVE-2025-29813.

  • CVE-2025-20188: Critical File Upload and Command Execution Vulnerability in Cisco IOS XE

    Overview

    CVE-2025-20188 discloses a critical vulnerability in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software running on Wireless LAN Controllers (WLCs). This flaw allows unauthenticated, remote attackers to upload arbitrary files and execute commands with root privileges.

    Technical Details

    The root cause is the use of a hard-coded JSON Web Token (JWT) within the affected software. This credential grants unauthorized access to the AP image download interface. By crafting specific HTTPS requests, attackers can:

    • Upload arbitrary files
    • Perform path traversal
    • Execute arbitrary commands as the root user

    The vulnerable feature is not enabled by default, but if it is activated, the threat surface expands significantly for affected systems.

    Vulnerable Versions

    Affected versions of Cisco IOS XE Software include but are not limited to:

    • 17.7.1 through 17.14.1
    • 17.10.1b, 17.11.99SW, and several patch releases in between

    CVSS Score and Severity

    This vulnerability carries a CVSS v3.1 base score of 10.0, the highest possible rating, indicating full compromise potential. Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
    • Impact: High confidentiality, integrity, and availability

    Impact

    A successful exploit allows complete system compromise, including the ability to upload and execute malicious payloads. Given that no authentication is required, the vulnerability poses a major risk, particularly in environments where the Out-of-Band AP Image Download feature is enabled.

    Mitigation and Recommendations

    • Disable the affected feature if not in use.
    • Apply Cisco patches as referenced in the official advisory.
    • Restrict external access to management interfaces via firewall rules.
    • Monitor logs for suspicious file upload or command activity.

    References

  • CVE-2025-30065: Critical Code Execution Vulnerability in Apache Parquet Java (parquet-avro Module)

    Overview

    On April 1, 2025, a critical vulnerability was published under the identifier CVE-2025-30065. The flaw affects Apache Parquet Java, specifically the parquet-avro module in versions ≤ 1.15.0. This vulnerability allows attackers to execute arbitrary code when a specially crafted Avro schema is parsed from Parquet file metadata.

    Technical Details

    This issue arises due to unsafe schema parsing that leads to deserialization of untrusted data (CWE-502). When an application using the vulnerable library reads a malicious Parquet file, it may deserialize attacker-controlled input, resulting in full remote code execution. This can occur without any user interaction or special permissions.

    The issue has been assigned the highest CVSS v4.0 base score of 10 (Critical), reflecting the severity and exploitability of the flaw. According to the CVSS vector:

    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Confidentiality, Integrity, Availability Impact: High

    Impacted Component

    The vulnerability affects the org.apache.parquet:parquet-avro package from the Apache Parquet Java library. All versions up to and including 1.15.0 are vulnerable.

    Real-World Impact

    This vulnerability is particularly dangerous in environments where applications process Parquet files from untrusted sources, such as data ingestion systems, cloud data pipelines, or external integrations. Exploitation can lead to complete system compromise, as confirmed by publicly available proof-of-concept exploits.

    Mitigation

    • Upgrade to Apache Parquet Java version 1.15.1 or later, which includes a fix for this issue.
    • Do not process untrusted Parquet files until patches are applied.
    • Consider isolating file parsing into sandboxed or low-privilege environments to reduce risk.

    Discovery and Acknowledgment

    This vulnerability was discovered by Keyi Li from Amazon. The Apache Software Foundation has released an advisory and patch for the issue. Additional exploit demonstrations have been shared by the security community on GitHub.

    References

    All users of the Apache Parquet Java library are urged to update immediately.

  • CVE-2025-23211: Critical SSTI to Remote Code Execution in Tandoor Recipes

    Overview

    CVE-2025-23211 is a critical vulnerability affecting Tandoor Recipes, an open-source application used for managing recipes, meal planning, and shopping lists. The flaw allows server-side template injection (SSTI) via Jinja2, potentially leading to full remote code execution. Versions prior to 1.5.24 are affected.

    What is SSTI?

    Server-Side Template Injection (SSTI) occurs when user-supplied input is insecurely embedded into server-side templates, allowing attackers to inject and execute malicious code. This vulnerability is especially dangerous when using powerful template engines like Jinja2 in Python, which can expose system functions.

    This vulnerability is categorized under CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine. In this case, untrusted input is passed to Jinja2 without proper sanitization, enabling the injection of arbitrary commands into rendered templates.

    Technical Impact

    The issue allows any authenticated user to execute code on the server. In deployments using the provided Docker Compose setup, such execution occurs with root privileges, significantly increasing the severity of the flaw.

    Severity and CVSS Score

    This vulnerability has been rated as CRITICAL with a CVSS v3.1 base score of 10.0:

    • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
    • Attack Vector: Network
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
    • Impact: Complete compromise of confidentiality, integrity, and availability

    Exploitation and Risk

    According to CISA’s SSVC enrichment, exploitation has been demonstrated in proof-of-concept form. While automation is not currently a factor, the technical impact is considered total, indicating full control over the server is possible.

    Mitigation

    To remediate this vulnerability:

    • Upgrade Tandoor Recipes to version 1.5.24 or later
    • Restrict template rendering to sanitized, trusted inputs only
    • Review access control policies to minimize user privileges
    • Consider deploying the application with non-root containers

    References

    Due to the nature of SSTI and the use of Jinja2, this vulnerability should be treated as a top priority for remediation.