Skip to main content

CVE-2025-1417: CWE-863 Incorrect Authorization in Proget Proget

Medium
VulnerabilityCVE-2025-1417cvecve-2025-1417cwe-863
Published: Wed May 21 2025 (05/21/2025, 13:03:35 UTC)
Source: CVE
Vendor/Project: Proget
Product: Proget

Description

In Proget MDM, a low-privileged user can access information about changes contained in backups of all devices managed by the MDM (Mobile Device Management). This information include user ids, email addresses, first names, last names and device UUIDs. The last one can be used for exploitation of CVE-2025-1416. Successful exploitation requires UUID of a targeted backup, which cannot be brute forced.  This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite).

AI-Powered Analysis

AILast updated: 07/06/2025, 05:25:47 UTC

Technical Analysis

CVE-2025-1417 is a medium-severity vulnerability classified under CWE-863 (Incorrect Authorization) affecting the Proget MDM (Mobile Device Management) system, specifically the Konsola Proget server component. The vulnerability allows a low-privileged user to access sensitive information contained within backups of all devices managed by the MDM. The exposed data includes user identifiers such as user IDs, email addresses, first and last names, and device UUIDs. The device UUIDs are particularly critical as they can be leveraged to exploit a related vulnerability, CVE-2025-1416, potentially leading to further compromise. Exploitation requires knowledge of the UUID of a targeted backup, which is not susceptible to brute force attacks, limiting the ease of exploitation. The vulnerability arises due to improper authorization checks that fail to restrict access to backup data to authorized users only. This issue has been addressed and fixed in version 2.17.5 of Konsola Proget. The CVSS v4.0 base score is 4.6, reflecting a medium severity level, with attack vector being adjacent network, low attack complexity, and requiring low privileges but no user interaction. The vulnerability impacts confidentiality primarily, with limited impact on integrity and availability. No known exploits are currently reported in the wild.

Potential Impact

For European organizations using Proget MDM, this vulnerability poses a risk of unauthorized disclosure of sensitive user and device information. Exposure of user IDs, emails, and names can facilitate targeted phishing or social engineering attacks. Disclosure of device UUIDs can enable attackers to chain this vulnerability with CVE-2025-1416, potentially escalating the attack to compromise device management or control. Organizations managing large fleets of mobile devices, especially those handling sensitive or regulated data, could face increased risk of data breaches and compliance violations under GDPR. The confidentiality breach could undermine trust and result in reputational damage. However, the requirement of low privileges and the difficulty in brute forcing UUIDs somewhat limit the scope of impact. Still, insider threats or compromised low-privileged accounts could exploit this vulnerability to gain unauthorized access to backup data.

Mitigation Recommendations

European organizations should prioritize upgrading Konsola Proget to version 2.17.5 or later, where this vulnerability is patched. Until the upgrade is applied, organizations should enforce strict access controls and monitoring on low-privileged user accounts to detect any unusual access patterns to backup data. Implement network segmentation to limit access to the MDM server from only trusted and necessary network segments. Employ strong authentication and role-based access control (RBAC) to minimize the number of users with access to backup information. Regularly audit backup access logs for anomalies. Additionally, organizations should review and harden backup storage permissions to ensure that sensitive backup data is not accessible beyond authorized personnel. Finally, educate users about the risks of phishing and social engineering that could leverage leaked user information.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
CERT-PL
Date Reserved
2025-02-18T13:43:46.725Z
Cisa Enriched
false
Cvss Version
4.0
State
PUBLISHED

Threat ID: 682dd047c4522896dcbfd718

Added to database: 5/21/2025, 1:08:23 PM

Last enriched: 7/6/2025, 5:25:47 AM

Last updated: 8/17/2025, 3:55:43 PM

Views: 17

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats