CVE-2025-1418: CWE-863 Incorrect Authorization in Proget Proget
A low-privileged user can access information about profiles created in Proget MDM (Mobile Device Management), which contain details about allowed/prohibited functions. The profiles do not reveal any sensitive information (including their usage in connected devices). This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite).
AI Analysis
Technical Summary
CVE-2025-1418 is a medium-severity vulnerability classified under CWE-863 (Incorrect Authorization) affecting the Proget MDM (Mobile Device Management) solution, specifically the Konsola Proget server component. The flaw allows a low-privileged user to access information about configuration profiles created within the Proget MDM system. These profiles define allowed and prohibited functions for managed mobile devices. Although the profiles do not contain sensitive information such as usage data or device-specific details, unauthorized access to these profiles could potentially aid an attacker in understanding the security posture and restrictions enforced by the MDM system. The vulnerability arises from insufficient authorization checks that fail to restrict access to profile metadata to only authorized users. The issue has been addressed in version 2.17.5 of Konsola Proget. The CVSS 4.0 base score is 5.1, reflecting a medium impact with attack vector being adjacent network (AV:A), low attack complexity, no privileges required beyond low privilege (PR:L), no user interaction needed, and limited confidentiality impact. There are no known exploits in the wild at this time.
Potential Impact
For European organizations using Proget MDM, this vulnerability could lead to unauthorized disclosure of MDM profile configurations. While the profiles do not contain sensitive personal or device-specific data, knowledge of allowed and prohibited functions could assist malicious insiders or external attackers who have gained low-level access in crafting targeted attacks or bypassing security controls. This could weaken the overall security posture of mobile device management within the organization, potentially facilitating further exploitation or lateral movement. The impact on confidentiality is limited, and there is no direct impact on integrity or availability. However, in regulated industries or organizations with strict compliance requirements, even limited unauthorized information disclosure may have legal or reputational consequences. Since exploitation does not require user interaction and only low privileges, the risk of exposure is moderate but should be addressed promptly.
Mitigation Recommendations
European organizations should ensure that all Proget MDM deployments are updated to version 2.17.5 or later, where the authorization flaw has been fixed. Until patching is completed, organizations should restrict access to the Konsola Proget server interface to trusted administrators only and monitor access logs for unusual activity by low-privileged users. Implement network segmentation to limit access to the MDM server from untrusted networks or user groups. Conduct regular audits of user privileges to ensure that only necessary personnel have access to MDM management consoles. Additionally, consider implementing multi-factor authentication (MFA) for all administrative access to reduce the risk of unauthorized access. Organizations should also review their mobile device security policies to ensure that exposure of profile metadata does not inadvertently reveal sensitive operational details.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy
CVE-2025-1418: CWE-863 Incorrect Authorization in Proget Proget
Description
A low-privileged user can access information about profiles created in Proget MDM (Mobile Device Management), which contain details about allowed/prohibited functions. The profiles do not reveal any sensitive information (including their usage in connected devices). This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite).
AI-Powered Analysis
Technical Analysis
CVE-2025-1418 is a medium-severity vulnerability classified under CWE-863 (Incorrect Authorization) affecting the Proget MDM (Mobile Device Management) solution, specifically the Konsola Proget server component. The flaw allows a low-privileged user to access information about configuration profiles created within the Proget MDM system. These profiles define allowed and prohibited functions for managed mobile devices. Although the profiles do not contain sensitive information such as usage data or device-specific details, unauthorized access to these profiles could potentially aid an attacker in understanding the security posture and restrictions enforced by the MDM system. The vulnerability arises from insufficient authorization checks that fail to restrict access to profile metadata to only authorized users. The issue has been addressed in version 2.17.5 of Konsola Proget. The CVSS 4.0 base score is 5.1, reflecting a medium impact with attack vector being adjacent network (AV:A), low attack complexity, no privileges required beyond low privilege (PR:L), no user interaction needed, and limited confidentiality impact. There are no known exploits in the wild at this time.
Potential Impact
For European organizations using Proget MDM, this vulnerability could lead to unauthorized disclosure of MDM profile configurations. While the profiles do not contain sensitive personal or device-specific data, knowledge of allowed and prohibited functions could assist malicious insiders or external attackers who have gained low-level access in crafting targeted attacks or bypassing security controls. This could weaken the overall security posture of mobile device management within the organization, potentially facilitating further exploitation or lateral movement. The impact on confidentiality is limited, and there is no direct impact on integrity or availability. However, in regulated industries or organizations with strict compliance requirements, even limited unauthorized information disclosure may have legal or reputational consequences. Since exploitation does not require user interaction and only low privileges, the risk of exposure is moderate but should be addressed promptly.
Mitigation Recommendations
European organizations should ensure that all Proget MDM deployments are updated to version 2.17.5 or later, where the authorization flaw has been fixed. Until patching is completed, organizations should restrict access to the Konsola Proget server interface to trusted administrators only and monitor access logs for unusual activity by low-privileged users. Implement network segmentation to limit access to the MDM server from untrusted networks or user groups. Conduct regular audits of user privileges to ensure that only necessary personnel have access to MDM management consoles. Additionally, consider implementing multi-factor authentication (MFA) for all administrative access to reduce the risk of unauthorized access. Organizations should also review their mobile device security policies to ensure that exposure of profile metadata does not inadvertently reveal sensitive operational details.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- CERT-PL
- Date Reserved
- 2025-02-18T13:43:47.696Z
- Cisa Enriched
- false
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 682dd047c4522896dcbfd71a
Added to database: 5/21/2025, 1:08:23 PM
Last enriched: 7/6/2025, 5:25:57 AM
Last updated: 7/30/2025, 4:08:45 PM
Views: 12
Related Threats
CVE-2025-40920: CWE-340 Generation of Predictable Numbers or Identifiers in ETHER Catalyst::Authentication::Credential::HTTP
UnknownCarmaker’s Portal Vulnerability Could Have Allowed Hackers to Unlock Vehicles and Access Data
MediumCVE-2025-8285: CWE-862: Missing Authorization in Mattermost Mattermost Confluence Plugin
MediumCVE-2025-54525: CWE-1287: Improper Validation of Specified Type of Input in Mattermost Mattermost Confluence Plugin
HighCVE-2025-54478: CWE-306: Missing Authentication for Critical Function in Mattermost Mattermost Confluence Plugin
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.