CVE-2025-35431 is a medium severity vulnerability classified under CWE-90, which pertains to improper neutralization of special elements used in LDAP queries, commonly known as LDAP Injection. This vulnerability affects CISA Thorium version 1.0.0, where user-controlled input strings are not properly escaped before being incorporated into LDAP queries. LDAP Injection occurs when an attacker manipulates input fields that are used to construct LDAP queries, allowing them to alter the logic of these queries. In this case, an authenticated remote attacker can exploit this flaw to modify LDAP authorization data, such as group memberships. This could enable unauthorized privilege escalation or unauthorized access to resources by changing group memberships or other authorization attributes stored in the LDAP directory. The vulnerability does not require user interaction but does require the attacker to have some level of authenticated access (low privilege). The CVSS v3.1 base score is 5.4 (medium), reflecting that the attack vector is network-based, with low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity to a limited extent without affecting availability. The issue has been fixed in version 1.1.1 of CISA Thorium. No known exploits are reported in the wild as of the publication date.

For European organizations using CISA Thorium 1.0.0, this vulnerability poses a risk of unauthorized privilege escalation within their LDAP-based authorization systems. Since LDAP is commonly used for centralized authentication and authorization in enterprise environments, manipulation of group memberships can lead to unauthorized access to sensitive systems or data. This can compromise confidentiality and integrity of organizational data and potentially disrupt compliance with data protection regulations such as GDPR. The impact is particularly significant for organizations relying heavily on LDAP for access control, including government agencies, financial institutions, healthcare providers, and large enterprises. The requirement for authenticated access somewhat limits the attack surface but insider threats or compromised credentials could be leveraged by attackers. The absence of known exploits reduces immediate risk but organizations should prioritize patching to prevent future exploitation.

European organizations should immediately upgrade CISA Thorium to version 1.1.1 or later, where the vulnerability is fixed. Until patching is possible, organizations should implement strict access controls and monitoring on accounts with LDAP query privileges to detect anomalous changes in group memberships or authorization data. Employing multi-factor authentication (MFA) can reduce the risk of credential compromise. Additionally, input validation and sanitization should be enforced at the application layer to prevent injection attacks. Regular auditing of LDAP directory changes and integration with Security Information and Event Management (SIEM) systems can help detect suspicious activities. Network segmentation and limiting LDAP query capabilities to trusted systems can further reduce exposure. Finally, educating administrators and users about the risks of credential compromise and monitoring for unusual authentication patterns will enhance defense in depth.