CVE-2025-35431 is a medium severity vulnerability classified under CWE-90, which pertains to improper neutralization of special elements used in LDAP queries, commonly known as LDAP Injection. This vulnerability affects CISA Thorium version 1.0.0, where user-controlled input strings are not properly escaped before being incorporated into LDAP queries. LDAP Injection vulnerabilities allow an attacker to manipulate LDAP statements by injecting malicious input, potentially altering the logic of the query. In this case, an authenticated remote attacker can exploit the vulnerability to modify LDAP authorization data, such as group memberships. This could lead to unauthorized privilege escalation or bypassing access controls within the affected system. The vulnerability requires the attacker to have some level of authentication (PR:L) but does not require user interaction (UI:N). The attack vector is network-based (AV:N) with low attack complexity (AC:L). The vulnerability does not impact availability but has limited impact on confidentiality and integrity, as indicated by the CVSS vector (C:L/I:L/A:N). The issue has been fixed in version 1.1.1 of CISA Thorium. No known exploits are reported in the wild as of the publication date, 2025-09-17. The vulnerability arises from failure to properly sanitize or escape special characters in LDAP queries, which can lead to unauthorized modification of LDAP authorization data, potentially allowing attackers to escalate privileges or access restricted resources within the system. Given that LDAP is often used for authentication and authorization in enterprise environments, exploitation could undermine security controls and lead to unauthorized access.

For European organizations using CISA Thorium 1.0.0, this vulnerability poses a risk of unauthorized privilege escalation within their identity and access management infrastructure. Since LDAP is commonly used for managing user groups and permissions, an attacker exploiting this flaw could alter group memberships, granting themselves or others elevated access rights. This could lead to data exposure, unauthorized changes to sensitive information, or disruption of normal operations due to compromised access controls. The requirement for authentication limits the attack surface to insiders or compromised accounts, but the low complexity and network accessibility increase the risk if credentials are leaked or weak. Organizations in sectors with strict regulatory requirements for data protection, such as finance, healthcare, and government, could face compliance issues if unauthorized access leads to data breaches. Additionally, the integrity of authorization data being compromised can undermine trust in security policies and complicate incident response efforts. Although availability is not directly impacted, the indirect consequences of unauthorized access could include operational disruptions or further exploitation.

European organizations should promptly upgrade CISA Thorium to version 1.1.1 or later, where this vulnerability has been fixed. Until the patch is applied, organizations should implement strict access controls to limit who can authenticate to the system, enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of credential compromise, and monitor LDAP query logs for unusual or unauthorized modifications to group memberships. Input validation and sanitization should be reviewed and enhanced at the application level to ensure no unescaped user input is passed to LDAP queries. Network segmentation and limiting access to the LDAP service to trusted hosts can reduce exposure. Additionally, organizations should conduct regular audits of LDAP authorization data to detect unauthorized changes promptly. Security teams should also update their intrusion detection and prevention systems with signatures or heuristics that can detect LDAP injection attempts. Finally, user training to recognize phishing or credential theft attempts can help reduce the risk of attackers gaining the initial authentication required to exploit this vulnerability.