CVE-2025-12810 is a vulnerability classified under CWE-287 (Improper Authentication) found in Delinea Inc.'s Secret Server On-Premises product, specifically versions 11.8.1, 11.9.6, and 11.9.25. The issue resides in the RPC Password Rotation modules that handle automated password changes for managed secrets. When a secret is configured with the "change password on check in" feature enabled, the system attempts to rotate the password upon check-in. However, if the password change operation fails after exhausting its retry limit, the secret is still automatically checked back in. This results in the secret being stored with an outdated or incorrect password, creating an inconsistent state between the stored secret and the actual credential. Such inconsistency can cause authentication failures for legitimate users or automated systems relying on the secret, potentially leading to denial of service or unauthorized access if attackers exploit the mismatch. The vulnerability does not require user interaction and can be exploited remotely with low complexity, but it does require some privileges (PR:L) on the system. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required for attack initiation, no user interaction, and partial impacts on confidentiality, integrity, and availability. The vendor has addressed this issue in version 11.9.47 and later, ensuring that secrets remain checked out if the password change fails, preventing inconsistent states. No public exploits or active exploitation have been reported to date, but the vulnerability poses risks to organizations relying on automated password rotation for privileged account management.

For European organizations, this vulnerability can disrupt privileged access management workflows by causing secrets to be out of sync with actual credentials. This inconsistency may lead to authentication failures, blocking legitimate access to critical systems and services, potentially resulting in operational downtime or delays in incident response. Attackers with some level of access could exploit this flaw to maintain access using stale credentials or cause denial of service by triggering failed password rotations. Given the critical role of privileged access management in protecting sensitive data and infrastructure, exploitation could indirectly compromise confidentiality and integrity of systems. Organizations in sectors with stringent compliance requirements (e.g., finance, healthcare, government) may face regulatory risks if credential management is compromised. The medium CVSS score reflects moderate risk, but the potential for cascading operational impacts elevates the importance of timely remediation.

European organizations using Delinea Secret Server On-Prem should immediately plan and execute an upgrade to version 11.9.47 or later to remediate this vulnerability. Until patched, administrators should monitor password rotation logs closely for failures and avoid enabling the "change password on check in" feature on critical secrets. Implement additional verification steps post-password rotation to confirm credential validity before check-in. Restrict access to the Secret Server to trusted personnel and systems to minimize risk of exploitation. Employ compensating controls such as multi-factor authentication on systems relying on rotated credentials to reduce impact of potential stale passwords. Regularly audit privileged account usage and rotation success rates to detect anomalies. Coordinate with Delinea support for any interim patches or workarounds. Finally, integrate this vulnerability into vulnerability management and incident response processes to ensure rapid detection and response if exploitation attempts occur.