Skip to main content

CVE-2025-1415: CWE-863 Incorrect Authorization in Proget Proget

Medium
VulnerabilityCVE-2025-1415cvecve-2025-1415cwe-863
Published: Wed May 21 2025 (05/21/2025, 10:38:05 UTC)
Source: CVE
Vendor/Project: Proget
Product: Proget

Description

A low-privileged user is able to obtain information about tasks executed on devices controlled by Proget MDM (Mobile Device Management), as well as details of the devices like their UUIDs needed for exploitation of CVE-2025-1416. In order to perform the attack, one has to know a task_id, but since it's a low integer and there is no limit of requests an attacker can perform to a vulnerable endpoint, the task_id might be simply brute forced. This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite).

AI-Powered Analysis

AILast updated: 07/06/2025, 05:25:21 UTC

Technical Analysis

CVE-2025-1415 is a medium-severity vulnerability classified under CWE-863 (Incorrect Authorization) affecting the Proget MDM (Mobile Device Management) suite, specifically the Konsola Proget server component. The vulnerability allows a low-privileged user to access sensitive information about tasks executed on devices managed by Proget MDM, including device-specific details such as UUIDs. These UUIDs are critical as they can be leveraged to exploit a related vulnerability, CVE-2025-1416. The attack vector requires knowledge of a task_id parameter, which is a low integer value. Due to the lack of request rate limiting on the vulnerable endpoint, an attacker can brute force task_ids to enumerate tasks and device information. This flaw arises from insufficient authorization checks on the endpoint that exposes task details, allowing unauthorized information disclosure. The vulnerability affects all versions prior to 2.17.5 of Konsola Proget, with the vendor having addressed the issue in version 2.17.5. The CVSS 4.0 base score is 5.1, reflecting a medium severity level, with attack vector being adjacent network (AV:A), low attack complexity (AC:L), no privileges required beyond low-level user (PR:L), and no user interaction (UI:N). The impact is limited to confidentiality, with no direct integrity or availability impact. No known exploits are reported in the wild as of the publication date.

Potential Impact

For European organizations using Proget MDM, this vulnerability can lead to unauthorized disclosure of device management tasks and device identifiers. Such information leakage can facilitate further targeted attacks, especially if combined with exploitation of CVE-2025-1416, potentially escalating the attacker's capabilities within the managed device environment. This could compromise the confidentiality of device management operations and expose sensitive device metadata. Organizations relying on Proget MDM for managing corporate mobile devices may face risks of data leakage and unauthorized reconnaissance by malicious insiders or external attackers with low-level access. The impact is particularly relevant for sectors with stringent data protection requirements, such as finance, healthcare, and government agencies, where device management data confidentiality is critical. While the vulnerability does not directly affect system integrity or availability, the information disclosure can be a stepping stone for more severe attacks, increasing the overall risk posture.

Mitigation Recommendations

1. Immediate upgrade to Konsola Proget version 2.17.5 or later, where the vulnerability is patched, is the most effective mitigation. 2. Implement network-level access controls to restrict access to the Proget MDM management interfaces only to trusted administrators and systems. 3. Enforce rate limiting and monitoring on endpoints exposing task information to detect and prevent brute force attempts on task_id values. 4. Conduct regular audits of user privileges within the MDM system to ensure that low-privileged accounts do not have unnecessary access to sensitive endpoints. 5. Monitor logs for unusual access patterns or repeated requests to task-related endpoints that may indicate exploitation attempts. 6. If immediate patching is not feasible, consider deploying Web Application Firewalls (WAFs) with custom rules to block suspicious enumeration activities targeting task_id parameters. 7. Educate administrators and users about the risks of information disclosure and encourage prompt reporting of suspicious behavior within the MDM environment.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
CERT-PL
Date Reserved
2025-02-18T13:43:44.580Z
Cisa Enriched
false
Cvss Version
4.0
State
PUBLISHED

Threat ID: 682db07dc4522896dcbfaee0

Added to database: 5/21/2025, 10:52:45 AM

Last enriched: 7/6/2025, 5:25:21 AM

Last updated: 7/30/2025, 11:50:05 PM

Views: 15

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats