Skip to main content

CVE-2025-1418: CWE-863 Incorrect Authorization in Proget Proget

Medium
VulnerabilityCVE-2025-1418cvecve-2025-1418cwe-863
Published: Wed May 21 2025 (05/21/2025, 13:03:44 UTC)
Source: CVE
Vendor/Project: Proget
Product: Proget

Description

A low-privileged user can access information about profiles created in Proget MDM (Mobile Device Management), which contain details about allowed/prohibited functions. The profiles do not reveal any sensitive information (including their usage in connected devices).    This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite).

AI-Powered Analysis

AILast updated: 07/06/2025, 05:25:57 UTC

Technical Analysis

CVE-2025-1418 is a medium-severity vulnerability classified under CWE-863 (Incorrect Authorization) affecting the Proget MDM (Mobile Device Management) solution, specifically the Konsola Proget server component. The flaw allows a low-privileged user to access information about configuration profiles created within the Proget MDM system. These profiles define allowed and prohibited functions for managed mobile devices. Although the profiles do not contain sensitive information such as usage data or device-specific details, unauthorized access to these profiles could potentially aid an attacker in understanding the security posture and restrictions enforced by the MDM system. The vulnerability arises from insufficient authorization checks that fail to restrict access to profile metadata to only authorized users. The issue has been addressed in version 2.17.5 of Konsola Proget. The CVSS 4.0 base score is 5.1, reflecting a medium impact with attack vector being adjacent network (AV:A), low attack complexity, no privileges required beyond low privilege (PR:L), no user interaction needed, and limited confidentiality impact. There are no known exploits in the wild at this time.

Potential Impact

For European organizations using Proget MDM, this vulnerability could lead to unauthorized disclosure of MDM profile configurations. While the profiles do not contain sensitive personal or device-specific data, knowledge of allowed and prohibited functions could assist malicious insiders or external attackers who have gained low-level access in crafting targeted attacks or bypassing security controls. This could weaken the overall security posture of mobile device management within the organization, potentially facilitating further exploitation or lateral movement. The impact on confidentiality is limited, and there is no direct impact on integrity or availability. However, in regulated industries or organizations with strict compliance requirements, even limited unauthorized information disclosure may have legal or reputational consequences. Since exploitation does not require user interaction and only low privileges, the risk of exposure is moderate but should be addressed promptly.

Mitigation Recommendations

European organizations should ensure that all Proget MDM deployments are updated to version 2.17.5 or later, where the authorization flaw has been fixed. Until patching is completed, organizations should restrict access to the Konsola Proget server interface to trusted administrators only and monitor access logs for unusual activity by low-privileged users. Implement network segmentation to limit access to the MDM server from untrusted networks or user groups. Conduct regular audits of user privileges to ensure that only necessary personnel have access to MDM management consoles. Additionally, consider implementing multi-factor authentication (MFA) for all administrative access to reduce the risk of unauthorized access. Organizations should also review their mobile device security policies to ensure that exposure of profile metadata does not inadvertently reveal sensitive operational details.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
CERT-PL
Date Reserved
2025-02-18T13:43:47.696Z
Cisa Enriched
false
Cvss Version
4.0
State
PUBLISHED

Threat ID: 682dd047c4522896dcbfd71a

Added to database: 5/21/2025, 1:08:23 PM

Last enriched: 7/6/2025, 5:25:57 AM

Last updated: 8/11/2025, 8:41:35 PM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats