CVE-2025-0504 is a vulnerability identified in Black Duck SCA, a widely used software composition analysis tool for managing open source security and compliance risks. The issue arises from improper configuration of user role permissions in versions prior to 2025.10.0. Specifically, users assigned the scoped Project Manager role combined with Global User Read access can inadvertently gain access to functionalities reserved for Project Administrators. This misconfiguration violates the principle of least privilege, allowing these users to perform unauthorized actions such as modifying project configurations and accessing sensitive system information that should be restricted. The vulnerability is categorized under CWE-266, which concerns incorrect privilege assignment. The CVSS 4.0 vector indicates the attack can be performed remotely (AV:N) with low complexity (AC:L), requires no authentication (PR:L indicates some privileges but not full admin), and no user interaction (UI:N). The impact on confidentiality and integrity is low to moderate, as the attacker cannot gain full system control or execute arbitrary code but can alter project-level settings and view sensitive data. No known exploits have been reported in the wild, but the vulnerability poses a risk to organizations relying on Black Duck SCA for managing open source components. The flaw highlights the importance of correctly scoping user roles and permissions in security-critical tools to prevent privilege escalation and unauthorized access.

For European organizations, the vulnerability could lead to unauthorized changes in project configurations and exposure of sensitive information within Black Duck SCA environments. This may compromise the integrity of software supply chain management processes, potentially leading to compliance violations or introduction of vulnerabilities in software projects. While the vulnerability does not allow full system compromise, unauthorized configuration changes could disrupt development workflows or weaken security postures. Organizations heavily reliant on Black Duck SCA for open source risk management, especially those in regulated industries such as finance, healthcare, and critical infrastructure, may face increased operational risk and regulatory scrutiny. The risk is amplified in environments where multiple teams share access to Black Duck SCA and where role assignments are not strictly controlled. Additionally, unauthorized access to sensitive project data could aid attackers in crafting targeted attacks or intellectual property theft. The absence of known exploits reduces immediate risk but does not eliminate the potential for future exploitation.

European organizations should immediately audit user roles and permissions within Black Duck SCA to ensure that scoped Project Manager roles do not have unintended Global User Read access or access to Project Administrator functionalities. Implement strict role-based access control (RBAC) policies limiting permissions to the minimum necessary for job functions. Monitor logs for unusual access patterns or configuration changes. Plan to upgrade to Black Duck SCA version 2025.10.0 or later once patches are released by the vendor. Until patches are available, consider temporarily restricting Global User Read permissions or segregating duties to reduce risk. Conduct security awareness training for administrators on the importance of correct privilege assignments. Integrate Black Duck SCA access controls with centralized identity and access management (IAM) solutions to enforce consistent policies. Regularly review and update user roles as part of the organization's security governance. Finally, maintain an incident response plan to quickly address any potential misuse of elevated privileges.