CVE-2025-1418 is a medium-severity vulnerability classified under CWE-863 (Incorrect Authorization) affecting the Proget MDM (Mobile Device Management) solution, specifically the Konsola Proget server component. The flaw allows a low-privileged user to access information about configuration profiles created within the Proget MDM system. These profiles define allowed and prohibited functions for managed mobile devices. Although the profiles do not contain sensitive information such as usage data or device-specific details, unauthorized access to these profiles could potentially aid an attacker in understanding the security posture and restrictions enforced by the MDM system. The vulnerability arises from insufficient authorization checks that fail to restrict access to profile metadata to only authorized users. The issue has been addressed in version 2.17.5 of Konsola Proget. The CVSS 4.0 base score is 5.1, reflecting a medium impact with attack vector being adjacent network (AV:A), low attack complexity, no privileges required beyond low privilege (PR:L), no user interaction needed, and limited confidentiality impact. There are no known exploits in the wild at this time.

For European organizations using Proget MDM, this vulnerability could lead to unauthorized disclosure of MDM profile configurations. While the profiles do not contain sensitive personal or device-specific data, knowledge of allowed and prohibited functions could assist malicious insiders or external attackers who have gained low-level access in crafting targeted attacks or bypassing security controls. This could weaken the overall security posture of mobile device management within the organization, potentially facilitating further exploitation or lateral movement. The impact on confidentiality is limited, and there is no direct impact on integrity or availability. However, in regulated industries or organizations with strict compliance requirements, even limited unauthorized information disclosure may have legal or reputational consequences. Since exploitation does not require user interaction and only low privileges, the risk of exposure is moderate but should be addressed promptly.

European organizations should ensure that all Proget MDM deployments are updated to version 2.17.5 or later, where the authorization flaw has been fixed. Until patching is completed, organizations should restrict access to the Konsola Proget server interface to trusted administrators only and monitor access logs for unusual activity by low-privileged users. Implement network segmentation to limit access to the MDM server from untrusted networks or user groups. Conduct regular audits of user privileges to ensure that only necessary personnel have access to MDM management consoles. Additionally, consider implementing multi-factor authentication (MFA) for all administrative access to reduce the risk of unauthorized access. Organizations should also review their mobile device security policies to ensure that exposure of profile metadata does not inadvertently reveal sensitive operational details.