CVE-2025-3840 is a medium-severity vulnerability classified under CWE-79, indicating an improper neutralization of input during web page generation, commonly known as Cross-site Scripting (XSS). This vulnerability affects the End of Life (EOL) OVA based Connect installer component from Saviynt, which is used for installation purposes within customer networks. The affected versions include specific builds of the product running on AlmaLinux 8.x, CentOS 7.x, and RHEL 8.x platforms, specifically versions SC2.0-Client-2.0 and SC2.0-Client-3.0. The component was deprecated in September 2023, with support ending in January 2024, meaning no official patches or updates are expected beyond that date. The vulnerability arises from improper sanitization of the "action" parameter in the login form of the installer component. An attacker can manipulate this parameter to inject malicious scripts, which, when executed in the context of a victim's browser, can lead to XSS attacks. Such attacks can enable an adversary to steal session cookies, perform actions on behalf of the user, or deliver further malicious payloads. Exploitation requires the attacker to trick a user into accessing a crafted URL or interacting with the vulnerable login form under certain conditions. There are no known exploits in the wild at the time of publication, and no patches have been released due to the component's EOL status. Given the nature of the vulnerability, it primarily impacts the confidentiality and integrity of user sessions and data processed through the affected installer interface. The vulnerability does not require authentication but does require user interaction to trigger the malicious script execution. The scope is limited to environments where this deprecated installer component is still in use, which may be limited given its EOL status but could persist in legacy or slow-to-update environments.

For European organizations, the impact of CVE-2025-3840 can be significant if the vulnerable OVA based Connect installer component remains deployed within their infrastructure. Since this component is used during installation, it may be present in staging or deployment environments, potentially exposing administrative or privileged users to XSS attacks. Successful exploitation could lead to session hijacking, unauthorized actions, or the delivery of secondary malware payloads, compromising the integrity and confidentiality of sensitive identity and access management processes managed by Saviynt solutions. Given the EOL status, organizations continuing to use this component face increased risk due to the lack of vendor support and patches. This could also lead to compliance challenges under European data protection regulations such as GDPR if personal data is compromised. The impact is heightened in sectors with critical identity management needs, such as finance, healthcare, and government, where Saviynt products are often deployed. Additionally, attackers could leverage this vulnerability as a foothold for further lateral movement within networks, especially in environments where the installer is accessible remotely or via web interfaces.

1. Immediate discontinuation of the use of the EOL OVA based Connect installer component is strongly recommended. Organizations should migrate to supported versions or alternative deployment methods provided by Saviynt. 2. If migration is not immediately possible, restrict network access to the installer interface to trusted administrative hosts only, using network segmentation and firewall rules. 3. Implement web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the "action" parameter in the login form. 4. Conduct thorough input validation and output encoding on any web interfaces interacting with the installer component, if customization is possible. 5. Educate administrative users about the risks of phishing and social engineering attacks that could exploit this XSS vulnerability. 6. Monitor logs for suspicious URL parameters or unusual login form activity that could indicate attempted exploitation. 7. Plan and execute a full upgrade or replacement of the affected component before the end of support date to ensure ongoing security and compliance. 8. Review and harden identity and access management policies to limit the potential damage from compromised sessions.