CVE-2025-1417 is a medium-severity vulnerability classified under CWE-863 (Incorrect Authorization) affecting the Proget MDM (Mobile Device Management) system, specifically the Konsola Proget server component. The vulnerability allows a low-privileged user to access sensitive information contained within backups of all devices managed by the MDM. The exposed data includes user identifiers such as user IDs, email addresses, first and last names, and device UUIDs. The device UUIDs are particularly critical as they can be leveraged to exploit a related vulnerability, CVE-2025-1416, potentially leading to further compromise. Exploitation requires knowledge of the UUID of a targeted backup, which is not susceptible to brute force attacks, limiting the ease of exploitation. The vulnerability arises due to improper authorization checks that fail to restrict access to backup data to authorized users only. This issue has been addressed and fixed in version 2.17.5 of Konsola Proget. The CVSS v4.0 base score is 4.6, reflecting a medium severity level, with attack vector being adjacent network, low attack complexity, and requiring low privileges but no user interaction. The vulnerability impacts confidentiality primarily, with limited impact on integrity and availability. No known exploits are currently reported in the wild.

For European organizations using Proget MDM, this vulnerability poses a risk of unauthorized disclosure of sensitive user and device information. Exposure of user IDs, emails, and names can facilitate targeted phishing or social engineering attacks. Disclosure of device UUIDs can enable attackers to chain this vulnerability with CVE-2025-1416, potentially escalating the attack to compromise device management or control. Organizations managing large fleets of mobile devices, especially those handling sensitive or regulated data, could face increased risk of data breaches and compliance violations under GDPR. The confidentiality breach could undermine trust and result in reputational damage. However, the requirement of low privileges and the difficulty in brute forcing UUIDs somewhat limit the scope of impact. Still, insider threats or compromised low-privileged accounts could exploit this vulnerability to gain unauthorized access to backup data.

European organizations should prioritize upgrading Konsola Proget to version 2.17.5 or later, where this vulnerability is patched. Until the upgrade is applied, organizations should enforce strict access controls and monitoring on low-privileged user accounts to detect any unusual access patterns to backup data. Implement network segmentation to limit access to the MDM server from only trusted and necessary network segments. Employ strong authentication and role-based access control (RBAC) to minimize the number of users with access to backup information. Regularly audit backup access logs for anomalies. Additionally, organizations should review and harden backup storage permissions to ensure that sensitive backup data is not accessible beyond authorized personnel. Finally, educate users about the risks of phishing and social engineering that could leverage leaked user information.