CVE-2025-1415: CWE-863 Incorrect Authorization in Proget Proget
A low-privileged user is able to obtain information about tasks executed on devices controlled by Proget MDM (Mobile Device Management), as well as details of the devices like their UUIDs needed for exploitation of CVE-2025-1416. In order to perform the attack, one has to know a task_id, but since it's a low integer and there is no limit of requests an attacker can perform to a vulnerable endpoint, the task_id might be simply brute forced. This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite).
AI Analysis
Technical Summary
CVE-2025-1415 is a medium-severity vulnerability classified under CWE-863 (Incorrect Authorization) affecting the Proget MDM (Mobile Device Management) suite, specifically the Konsola Proget server component. The vulnerability allows a low-privileged user to access sensitive information about tasks executed on devices managed by Proget MDM, including device-specific details such as UUIDs. These UUIDs are critical as they can be leveraged to exploit a related vulnerability, CVE-2025-1416. The attack vector requires knowledge of a task_id parameter, which is a low integer value. Due to the lack of request rate limiting on the vulnerable endpoint, an attacker can brute force task_ids to enumerate tasks and device information. This flaw arises from insufficient authorization checks on the endpoint that exposes task details, allowing unauthorized information disclosure. The vulnerability affects all versions prior to 2.17.5 of Konsola Proget, with the vendor having addressed the issue in version 2.17.5. The CVSS 4.0 base score is 5.1, reflecting a medium severity level, with attack vector being adjacent network (AV:A), low attack complexity (AC:L), no privileges required beyond low-level user (PR:L), and no user interaction (UI:N). The impact is limited to confidentiality, with no direct integrity or availability impact. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations using Proget MDM, this vulnerability can lead to unauthorized disclosure of device management tasks and device identifiers. Such information leakage can facilitate further targeted attacks, especially if combined with exploitation of CVE-2025-1416, potentially escalating the attacker's capabilities within the managed device environment. This could compromise the confidentiality of device management operations and expose sensitive device metadata. Organizations relying on Proget MDM for managing corporate mobile devices may face risks of data leakage and unauthorized reconnaissance by malicious insiders or external attackers with low-level access. The impact is particularly relevant for sectors with stringent data protection requirements, such as finance, healthcare, and government agencies, where device management data confidentiality is critical. While the vulnerability does not directly affect system integrity or availability, the information disclosure can be a stepping stone for more severe attacks, increasing the overall risk posture.
Mitigation Recommendations
1. Immediate upgrade to Konsola Proget version 2.17.5 or later, where the vulnerability is patched, is the most effective mitigation. 2. Implement network-level access controls to restrict access to the Proget MDM management interfaces only to trusted administrators and systems. 3. Enforce rate limiting and monitoring on endpoints exposing task information to detect and prevent brute force attempts on task_id values. 4. Conduct regular audits of user privileges within the MDM system to ensure that low-privileged accounts do not have unnecessary access to sensitive endpoints. 5. Monitor logs for unusual access patterns or repeated requests to task-related endpoints that may indicate exploitation attempts. 6. If immediate patching is not feasible, consider deploying Web Application Firewalls (WAFs) with custom rules to block suspicious enumeration activities targeting task_id parameters. 7. Educate administrators and users about the risks of information disclosure and encourage prompt reporting of suspicious behavior within the MDM environment.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium
CVE-2025-1415: CWE-863 Incorrect Authorization in Proget Proget
Description
A low-privileged user is able to obtain information about tasks executed on devices controlled by Proget MDM (Mobile Device Management), as well as details of the devices like their UUIDs needed for exploitation of CVE-2025-1416. In order to perform the attack, one has to know a task_id, but since it's a low integer and there is no limit of requests an attacker can perform to a vulnerable endpoint, the task_id might be simply brute forced. This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite).
AI-Powered Analysis
Technical Analysis
CVE-2025-1415 is a medium-severity vulnerability classified under CWE-863 (Incorrect Authorization) affecting the Proget MDM (Mobile Device Management) suite, specifically the Konsola Proget server component. The vulnerability allows a low-privileged user to access sensitive information about tasks executed on devices managed by Proget MDM, including device-specific details such as UUIDs. These UUIDs are critical as they can be leveraged to exploit a related vulnerability, CVE-2025-1416. The attack vector requires knowledge of a task_id parameter, which is a low integer value. Due to the lack of request rate limiting on the vulnerable endpoint, an attacker can brute force task_ids to enumerate tasks and device information. This flaw arises from insufficient authorization checks on the endpoint that exposes task details, allowing unauthorized information disclosure. The vulnerability affects all versions prior to 2.17.5 of Konsola Proget, with the vendor having addressed the issue in version 2.17.5. The CVSS 4.0 base score is 5.1, reflecting a medium severity level, with attack vector being adjacent network (AV:A), low attack complexity (AC:L), no privileges required beyond low-level user (PR:L), and no user interaction (UI:N). The impact is limited to confidentiality, with no direct integrity or availability impact. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations using Proget MDM, this vulnerability can lead to unauthorized disclosure of device management tasks and device identifiers. Such information leakage can facilitate further targeted attacks, especially if combined with exploitation of CVE-2025-1416, potentially escalating the attacker's capabilities within the managed device environment. This could compromise the confidentiality of device management operations and expose sensitive device metadata. Organizations relying on Proget MDM for managing corporate mobile devices may face risks of data leakage and unauthorized reconnaissance by malicious insiders or external attackers with low-level access. The impact is particularly relevant for sectors with stringent data protection requirements, such as finance, healthcare, and government agencies, where device management data confidentiality is critical. While the vulnerability does not directly affect system integrity or availability, the information disclosure can be a stepping stone for more severe attacks, increasing the overall risk posture.
Mitigation Recommendations
1. Immediate upgrade to Konsola Proget version 2.17.5 or later, where the vulnerability is patched, is the most effective mitigation. 2. Implement network-level access controls to restrict access to the Proget MDM management interfaces only to trusted administrators and systems. 3. Enforce rate limiting and monitoring on endpoints exposing task information to detect and prevent brute force attempts on task_id values. 4. Conduct regular audits of user privileges within the MDM system to ensure that low-privileged accounts do not have unnecessary access to sensitive endpoints. 5. Monitor logs for unusual access patterns or repeated requests to task-related endpoints that may indicate exploitation attempts. 6. If immediate patching is not feasible, consider deploying Web Application Firewalls (WAFs) with custom rules to block suspicious enumeration activities targeting task_id parameters. 7. Educate administrators and users about the risks of information disclosure and encourage prompt reporting of suspicious behavior within the MDM environment.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- CERT-PL
- Date Reserved
- 2025-02-18T13:43:44.580Z
- Cisa Enriched
- false
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 682db07dc4522896dcbfaee0
Added to database: 5/21/2025, 10:52:45 AM
Last enriched: 7/6/2025, 5:25:21 AM
Last updated: 7/30/2025, 11:50:05 PM
Views: 15
Related Threats
CVE-2025-8113: CWE-79 Cross-Site Scripting (XSS) in Ebook Store
MediumCVE-2025-8293: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Theerawat Patthawee Intl DateTime Calendar
MediumCVE-2025-7686: CWE-352 Cross-Site Request Forgery (CSRF) in lmyoaoa weichuncai(WP伪春菜)
MediumCVE-2025-7684: CWE-352 Cross-Site Request Forgery (CSRF) in remysharp Last.fm Recent Album Artwork
MediumCVE-2025-7683: CWE-352 Cross-Site Request Forgery (CSRF) in janyksteenbeek LatestCheckins
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.