Tag: score:9.2

CVE-2025-24032: Authentication Bypass in PAM-PKCS#11 Due to Insecure Default `cert_policy` Setting
Overview
On February 10, 2025, a critical vulnerability was published under the identifier CVE-2025-24032, affecting the PAM-PKCS#11 module maintained by OpenSC. This Linux-PAM login module facilitates user authentication via X.509 certificates and is commonly integrated into secure systems that use smartcards or cryptographic tokens. The vulnerability has been rated CRITICAL with a CVSS v4.0 base score of 9.2.
Technical Details
The vulnerability stems from the default setting of the cert_policy configuration parameter in pam_pkcs11. If left as none-its default-pam_pkcs11 does not verify that the presented token can perform private key operations such as signing. Instead, it only checks if the certificate exists on a token and whether the user has access to it.
This creates a severe security gap. An attacker can fabricate a token containing a victim’s public certificate and pair it with a known PIN. If no private key validation is enforced, the system cannot distinguish this fake token from a legitimate one, allowing unauthorized logins.
Affected Versions
The issue affects all versions from pam_pkcs11-0.6.0 up to but not including 0.6.13.
CVSS v4.0 Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/S:C/C:H/I:H/A:L
- Attack Vector: Network
- Attack Complexity: Low
- Attack Requirements: Present (crafted token needed)
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Confidentiality & Integrity Impact: High
- Availability Impact: Low
Mitigation
Users are strongly advised to upgrade to pam_pkcs11 version 0.6.13 or later. The patched version enforces signature-based validation by default. As an immediate workaround, administrators should set cert_policy = signature; explicitly in the pam_pkcs11.conf file.
Conclusion
CVE-2025-24032 exemplifies the risks of insecure defaults in authentication modules. In critical environments using smartcard-based login, overlooking private key validation opens doors for silent impersonation. Updating PAM-PKCS#11 and revisiting configuration settings is imperative to mitigate this threat.
2025-05-21
Critical OS Command Injection in MicroWorld eScan Antivirus (CVE-2025-0798)
Overview
A critical vulnerability has been identified in MicroWorld eScan Antivirus version 7.0.32 for Linux. Tracked as CVE-2025-0798, the flaw resides in the Quarantine Handler component, specifically involving the rtscanner file. This vulnerability has been classified as an OS Command Injection issue, allowing remote attackers to execute arbitrary commands on the system.
Technical Details
The vulnerability arises due to insufficient sanitization of inputs processed by the rtscanner file. When the system handles quarantined files, it improperly passes user-supplied input to operating system commands. This results in an OS Command Injection, categorized under CWE-78 and CWE-77, both referring to improper command execution from untrusted input.
While the attack requires no privileges and can be executed remotely, it has a high attack complexity due to the intricate nature of triggering the vulnerable code path. According to public disclosures, exploitation is challenging but possible. A proof-of-concept (PoC) has been made publicly available, increasing the urgency for mitigation.
Impact Assessment
The vulnerability has been scored across multiple CVSS versions:
- CVSS 4.0: 9.2 (CRITICAL) — CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
- CVSS 3.1 & 3.0: 8.1 (HIGH) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- CVSS 2.0: 7.6 — AV:N/AC:H/Au:N/C:C/I:C/A:C
The vulnerability affects confidentiality, integrity, and availability at a high level. Given its remote exploitability and the potential to fully compromise a system, it poses a significant threat to organizations relying on MicroWorld eScan Antivirus for Linux.
Disclosure and Vendor Response
The vulnerability was discovered and reported by FPT IS Security and made public through VulDB on January 29, 2025. Despite early vendor notification, there has been no response or official mitigation guidance from MicroWorld as of the latest update.
Recommendations
- Limit exposure: Ensure that eScan services are not directly exposed to the internet or untrusted networks.
- Monitor systems: Watch for abnormal system behavior or unauthorized processes originating from eScan components.
- Mitigate via containment: If updates or patches are unavailable, consider isolating affected systems or switching to alternative security tools.
- Exploit awareness: Review the published PoC at GitHub to understand potential attack vectors and detection signatures.
Conclusion
CVE-2025-0798 highlights the criticality of robust input validation and the risks posed by command injection flaws in security software itself. Organizations using MicroWorld eScan Antivirus should prioritize investigation and risk mitigation measures immediately, particularly in Linux environments.
2025-05-20
CVE-2025-43858: Critical Command Injection in YoutubeDLSharp on Windows
Overview
CVE-2025-43858 is a critical vulnerability discovered in YoutubeDLSharp, a .NET wrapper around the popular command-line video downloaders youtube-dl and yt-dlp. This issue affects versions from 1.0.0-beta4 to prior to 1.1.2 and allows for command injection on Windows systems under specific conditions.
Technical Details
The vulnerability is categorized under CWE-77 and CWE-78, which refer to improper neutralization of special elements in command inputs. Specifically, YoutubeDLSharp passes arguments to yt-dlp without proper sanitization when executed via the command prompt on Windows.
This behavior becomes critical due to the use of the UseWindowsEncodingWorkaround flag, which is set to true by default. Users invoking built-in methods from YoutubeDL.cs cannot override this setting, making them especially vulnerable. As a result, a malicious input could trigger unintended command execution, potentially compromising confidentiality, integrity, and availability on the target system.
CVSS Score and Severity
The vulnerability has been assigned a CVSS v3.1 base score of 9.2, classifying it as CRITICAL. The vector string is:
```
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
```
This indicates that the attack can be carried out locally with low complexity, no privileges, and no user interaction, while resulting in high impact on confidentiality and integrity.
Affected Versions
- Product: YoutubeDLSharp
- Vendor: Bluegrams
- Versions Affected: >= 1.0.0-beta4 and < 1.1.2
Mitigation
The vulnerability has been addressed in version 1.1.2. All users of affected versions should:
- Upgrade to v1.1.2 immediately
- Review usage of built-in command execution methods in their implementations
- Avoid relying on defaults that obscure execution context or encoding behavior
References
Conclusion
CVE-2025-43858 highlights the risks of executing command-line utilities without stringent input validation. Developers embedding third-party tools like yt-dlp should ensure that all input is carefully sanitized to avoid introducing critical security flaws. Updating to the latest version is essential for maintaining a secure software environment.
2025-05-20
CVE-2025-26692: Path Traversal Vulnerability in SIOS Quick Agent
Overview
CVE-2025-26692 identifies a critical security vulnerability affecting SIOS Quick Agent V2 and V3. Specifically, Quick Agent V3 versions prior to 3.2.1 and Quick Agent V2 versions prior to 2.9.8 are affected. This vulnerability involves improper limitation of a pathname to a restricted directory, commonly known as a Path Traversal issue.
Technical Details
The vulnerability is classified under CWE-22: Improper Limitation of a Pathname to a Restricted Directory. Affected versions fail to adequately validate file paths, allowing remote unauthenticated attackers to traverse directories and access files outside the intended root directory. If exploited, this can result in the execution of arbitrary code with Windows system privileges.
Because the software runs with elevated permissions, successful exploitation could allow complete system compromise, depending on the attacker’s ability to control or manipulate uploaded file paths.
Severity and CVSS Scores
This vulnerability has received the following CVSS ratings:
- CVSS v3.0: 8.1 (High) – CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- CVSS v4.0: 9.2 (Critical) – CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
These scores reflect the seriousness of the issue, highlighting its remote exploitability, lack of required user interaction, and the high impact on confidentiality, integrity, and availability.
Potential Impact
If left unpatched, this vulnerability could allow attackers to:
- Read or modify sensitive system files
- Install and execute malicious programs
- Fully compromise affected systems
The risk is elevated due to the lack of authentication needed and the ability to exploit the issue over a network.
Mitigation
- Upgrade to: Quick Agent V3 version 3.2.1 or later, and Quick Agent V2 version 2.9.8 or later.
- Restrict network access: Ensure that only trusted systems can reach the agent endpoints.
- Monitor system logs: Look for abnormal file access patterns or unexpected file executions.
References
2025-05-20
CVE-2025-36560: Server-Side Request Forgery in a-blog cms
Overview
A critical server-side request forgery (SSRF) vulnerability has been identified in multiple versions of a-blog cms, a content management system developed by Appleple Inc. Tracked as CVE-2025-36560, this flaw may allow unauthenticated remote attackers to access sensitive internal information by sending specially crafted requests.
What is SSRF?
Server-Side Request Forgery (SSRF) is a vulnerability where an attacker can make the server perform unintended requests on behalf of the attacker. This can lead to exposure of internal systems, bypass of network access controls, and access to services not directly exposed to the internet.
The issue falls under CWE-918, a classification for SSRF vulnerabilities. In this case, a-blog cms does not sufficiently validate input that is used to form outbound server requests.
Vulnerable Versions
The following versions of a-blog cms are affected:
- 2.8.85 and earlier (2.8.x series)
- 2.9.52 and earlier (2.9.x series)
- 2.10.63 and earlier (2.10.x series)
- 2.11.75 and earlier (2.11.x series)
- 3.0.47 and earlier (3.0.x series)
- 3.1.43 and earlier (3.1.x series)
Users are urged to upgrade to the latest version as soon as possible to mitigate the risk.
Severity and CVSS Scores
This vulnerability has been evaluated with the following scores:
- CVSS v3.1 Score: 8.6 (High)
  Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
- CVSS v4.0 Score: 9.2 (Critical)
  Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
These ratings highlight the severity of the vulnerability. With no user interaction and no privileges required, the exploitability is high and the confidentiality impact is substantial.
Risk Context from SSVC
The Stakeholder-Specific Vulnerability Categorization (SSVC) assessment by CISA reports:
- No known active exploitation
- Vulnerability is automatable
- Partial technical impact
While exploitation has not been observed, the risk remains significant due to the potential for future automated attacks.
Mitigation Recommendations
To protect against this vulnerability, administrators should:
- Update to a version of a-blog cms that addresses CVE-2025-36560
- Restrict external requests from server-side logic wherever possible
- Validate and sanitize all user inputs used in server requests
- Monitor network traffic and implement firewall rules to limit unnecessary outbound access
References
- a-blog cms Developer Advisory
- Japan Vulnerability Notes (JVN)
Prompt action is advised to avoid potential exploitation of this critical SSRF vulnerability. Ensuring systems are patched and network architecture minimizes exposure is essential in today’s threat landscape.
2025-05-19