CVE-2025-29556 is a vulnerability affecting ExaGrid EX10 appliances running firmware versions 6.3 through 7.0.1.P08. The issue stems from an incorrect access control mechanism in the user account creation process. ExaGrid implemented restrictions to prevent users with the Admin role from creating or modifying accounts assigned to the Security Officer role without explicit approval. However, this control can be bypassed by an attacker who already has Admin-level access. By intercepting and manipulating the API request used during user creation, the attacker can alter parameters to assign the new account to the Security Officers group without triggering the required approval workflow. This flaw effectively allows privilege escalation within the system, enabling an attacker to create or modify high-privilege accounts without oversight. Since the vulnerability requires Admin access to exploit, it is an example of a horizontal privilege escalation that can lead to a more powerful foothold within the ExaGrid environment. The lack of a CVSS score and absence of known exploits in the wild suggest this is a newly disclosed vulnerability. However, the potential for abuse is significant given the elevated privileges granted to Security Officers, who typically have broad control over security policies and monitoring within the appliance. The vulnerability affects a widely used backup storage appliance, which is critical infrastructure for data protection and disaster recovery in many organizations.

For European organizations, the impact of this vulnerability can be substantial. ExaGrid appliances are commonly deployed in enterprise environments for backup and data retention, making them critical components of IT infrastructure. An attacker exploiting this vulnerability could create or modify Security Officer accounts without approval, gaining elevated privileges that allow them to alter security configurations, disable monitoring, or cover tracks. This could lead to unauthorized data access, tampering with backup data integrity, or disruption of backup operations, potentially resulting in data loss or failure to recover from incidents. The breach of backup systems can also facilitate ransomware attacks or data exfiltration, as attackers may manipulate backups to evade detection or restore malicious states. Given the stringent data protection regulations in Europe, such as GDPR, any compromise of backup data or security controls could lead to regulatory penalties and reputational damage. Additionally, the requirement for Admin access to exploit means that insider threats or compromised Admin accounts pose a significant risk vector. Organizations relying on ExaGrid for critical backup infrastructure must consider this vulnerability a serious threat to their data security and operational resilience.

To mitigate this vulnerability, European organizations using ExaGrid EX10 appliances should take the following specific steps: 1) Immediately review and restrict Admin role assignments to trusted personnel only, minimizing the risk of insider exploitation. 2) Implement strict monitoring and logging of all user creation and modification activities, with alerts for any changes involving Security Officer roles. 3) Employ network-level protections such as API request validation proxies or web application firewalls that can detect and block unauthorized parameter manipulation in API calls. 4) Conduct regular audits of user accounts and roles to identify any unauthorized Security Officer accounts created without approval. 5) Engage with ExaGrid support or vendor channels to obtain patches or firmware updates addressing this vulnerability as soon as they become available. 6) Consider implementing multi-factor authentication (MFA) for Admin accounts to reduce the risk of credential compromise. 7) Isolate backup appliances in segmented network zones with limited access to reduce the attack surface. These targeted measures go beyond generic advice by focusing on the specific exploitation vector—API request manipulation—and the criticality of role-based access controls within the ExaGrid environment.