EnterpriseDB Hybrid Manager - LTS versions 1.2 and 1.3 suffer from a critical security vulnerability identified as CVE-2025-14038, classified under CWE-862 (Missing Authorization). The vulnerability arises from a misconfiguration in the Istio Gateway, which is responsible for enforcing authentication and authorization policies on gRPC endpoints within the Hybrid Manager service. Specifically, certain gRPC endpoints were omitted from the explicit permission definitions in the Istio Gateway configuration. As a result, these endpoints inadvertently allowed unauthenticated and unauthorized access. An attacker can exploit this flaw remotely without any privileges or user interaction, directly invoking the exposed gRPC endpoints. This unauthorized access can lead to two primary impacts: first, the attacker may read sensitive data that should be protected, compromising confidentiality; second, by sending malformed data to these endpoints, the attacker can cause denial-of-service conditions, impacting availability and potentially integrity. The vulnerability does not require authentication, making it easier to exploit over the network. EnterpriseDB has addressed this issue in Hybrid Manager - LTS version 1.3.3 and Hybrid Manager - Innovation version 2025.12, urging all customers to upgrade promptly. The CVSS v3.1 base score is 7.0 (High), reflecting the network attack vector, high impact on availability, and low to moderate impact on confidentiality and integrity. No public exploits have been reported yet, but the vulnerability's nature and ease of exploitation make it a significant risk for affected deployments.

For European organizations using EnterpriseDB Hybrid Manager - LTS versions 1.2 or 1.3, this vulnerability poses a substantial risk. Unauthorized access to gRPC endpoints can lead to exposure of sensitive operational or customer data, violating data protection regulations such as GDPR. The potential for denial-of-service attacks could disrupt critical database management operations, affecting business continuity and service availability. Given the reliance on Hybrid Manager for database lifecycle and hybrid cloud management, exploitation could impact multiple sectors including finance, healthcare, and government services where EnterpriseDB products are deployed. The breach of confidentiality and availability could result in regulatory penalties, reputational damage, and operational downtime. The fact that no authentication is required and the attack can be conducted remotely increases the threat level. Organizations with hybrid or cloud database environments managed by EDB Hybrid Manager are particularly vulnerable until patched. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits rapidly after public disclosure.

European organizations should prioritize upgrading EnterpriseDB Hybrid Manager - LTS to version 1.3.3 or later, and Hybrid Manager - Innovation to 2025.12 or later, as these versions contain the fix for the Istio Gateway misconfiguration. Until upgrades are applied, organizations should implement network-level controls to restrict access to the gRPC endpoints, such as firewall rules or network segmentation, limiting exposure to trusted internal networks only. Monitoring and logging of gRPC endpoint access should be enhanced to detect anomalous or unauthorized requests promptly. Review and audit Istio Gateway configurations to ensure all endpoints have explicit authentication and authorization policies defined. Employ intrusion detection systems capable of recognizing malformed gRPC traffic patterns that could indicate exploitation attempts. Additionally, conduct penetration testing focused on gRPC interfaces to validate the effectiveness of mitigations. Organizations should also prepare incident response plans specific to potential data exposure or denial-of-service scenarios related to this vulnerability. Finally, maintain awareness of any emerging exploit code or attack campaigns targeting this CVE to respond swiftly.