CVE-2025-1415 is a medium-severity vulnerability classified under CWE-863 (Incorrect Authorization) affecting the Proget MDM (Mobile Device Management) suite, specifically the Konsola Proget server component. The vulnerability allows a low-privileged user to access sensitive information about tasks executed on devices managed by Proget MDM, including device-specific details such as UUIDs. These UUIDs are critical as they can be leveraged to exploit a related vulnerability, CVE-2025-1416. The attack vector requires knowledge of a task_id parameter, which is a low integer value. Due to the lack of request rate limiting on the vulnerable endpoint, an attacker can brute force task_ids to enumerate tasks and device information. This flaw arises from insufficient authorization checks on the endpoint that exposes task details, allowing unauthorized information disclosure. The vulnerability affects all versions prior to 2.17.5 of Konsola Proget, with the vendor having addressed the issue in version 2.17.5. The CVSS 4.0 base score is 5.1, reflecting a medium severity level, with attack vector being adjacent network (AV:A), low attack complexity (AC:L), no privileges required beyond low-level user (PR:L), and no user interaction (UI:N). The impact is limited to confidentiality, with no direct integrity or availability impact. No known exploits are reported in the wild as of the publication date.

For European organizations using Proget MDM, this vulnerability can lead to unauthorized disclosure of device management tasks and device identifiers. Such information leakage can facilitate further targeted attacks, especially if combined with exploitation of CVE-2025-1416, potentially escalating the attacker's capabilities within the managed device environment. This could compromise the confidentiality of device management operations and expose sensitive device metadata. Organizations relying on Proget MDM for managing corporate mobile devices may face risks of data leakage and unauthorized reconnaissance by malicious insiders or external attackers with low-level access. The impact is particularly relevant for sectors with stringent data protection requirements, such as finance, healthcare, and government agencies, where device management data confidentiality is critical. While the vulnerability does not directly affect system integrity or availability, the information disclosure can be a stepping stone for more severe attacks, increasing the overall risk posture.

1. Immediate upgrade to Konsola Proget version 2.17.5 or later, where the vulnerability is patched, is the most effective mitigation. 2. Implement network-level access controls to restrict access to the Proget MDM management interfaces only to trusted administrators and systems. 3. Enforce rate limiting and monitoring on endpoints exposing task information to detect and prevent brute force attempts on task_id values. 4. Conduct regular audits of user privileges within the MDM system to ensure that low-privileged accounts do not have unnecessary access to sensitive endpoints. 5. Monitor logs for unusual access patterns or repeated requests to task-related endpoints that may indicate exploitation attempts. 6. If immediate patching is not feasible, consider deploying Web Application Firewalls (WAFs) with custom rules to block suspicious enumeration activities targeting task_id parameters. 7. Educate administrators and users about the risks of information disclosure and encourage prompt reporting of suspicious behavior within the MDM environment.