CVE-2025-6392: CWE-532 Insertion of Sensitive Information into Log File in Broadcom Brocade SANnav
Brocade SANnav before Brocade SANnav 2.4.0a could log database passwords in clear text in audit logs when the daily data dump collector invokes docker exec commands. These audit logs are the local server VM’s audit logs and are not controlled by SANnav. These logs are only visible to the server admin of the host server and are not visible to the SANnav admin or any SANnav user.
AI Analysis
Technical Summary
CVE-2025-6392 is a medium-severity vulnerability affecting Broadcom's Brocade SANnav product versions prior to 2.4.0a. The vulnerability arises from the improper handling of sensitive information, specifically database passwords, which are logged in clear text within the audit logs of the local server virtual machine. This occurs when the daily data dump collector component invokes docker exec commands. These audit logs reside on the host server VM and are not managed or controlled by the SANnav application itself. Importantly, these logs are only accessible to the server administrators of the host machine and are not visible to SANnav administrators or users. The vulnerability is classified under CWE-532, which pertains to the insertion of sensitive information into log files, potentially exposing secrets to unauthorized parties with access to the host server. The CVSS v4.0 base score is 6.7, reflecting a medium severity level, with an attack vector limited to local access (AV:L), requiring low attack complexity (AC:L), no privileges required for the attacker (PR:H indicates high privileges required, so this is a bit contradictory but likely means the attacker needs high privileges), no user interaction, and high impact on availability. No known exploits are currently reported in the wild. The vulnerability does not affect the confidentiality, integrity, or availability of the SANnav application directly but poses a risk if an attacker gains access to the host server and can read these logs, potentially allowing credential compromise and subsequent lateral movement or privilege escalation within the environment.
Potential Impact
For European organizations utilizing Brocade SANnav versions prior to 2.4.0a, this vulnerability presents a risk primarily to the confidentiality of database credentials. If an attacker or malicious insider gains administrative access to the host server VM, they could extract database passwords from the audit logs, potentially compromising the SAN infrastructure. This could lead to unauthorized access to storage area networks (SANs), data exfiltration, or disruption of critical storage services. Given that SANnav is used to manage and monitor SAN environments, compromise of these credentials could undermine the integrity and availability of storage resources, impacting business-critical applications and data. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government agencies across Europe, may face increased risk due to the sensitivity of the data stored on SANs. However, since the logs are not accessible remotely or by SANnav users, the threat is mitigated by the need for local administrative access, limiting the attack surface to insiders or attackers who have already breached the host server.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should prioritize upgrading Brocade SANnav to version 2.4.0a or later, where this logging issue has been addressed. Until the update can be applied, organizations should restrict and monitor administrative access to the host server VM to prevent unauthorized users from accessing audit logs. Implement strict access controls and auditing on the host server to detect any suspicious activity related to log file access. Additionally, consider encrypting audit logs at the filesystem level or using secure logging mechanisms that prevent sensitive information from being stored in clear text. Regularly review and rotate database credentials to limit the window of exposure if credentials are compromised. Network segmentation and isolation of management servers can further reduce the risk of lateral movement by attackers who gain initial access. Finally, conduct security awareness training for administrators to highlight the importance of protecting host server environments and sensitive log data.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden
CVE-2025-6392: CWE-532 Insertion of Sensitive Information into Log File in Broadcom Brocade SANnav
Description
Brocade SANnav before Brocade SANnav 2.4.0a could log database passwords in clear text in audit logs when the daily data dump collector invokes docker exec commands. These audit logs are the local server VM’s audit logs and are not controlled by SANnav. These logs are only visible to the server admin of the host server and are not visible to the SANnav admin or any SANnav user.
AI-Powered Analysis
Technical Analysis
CVE-2025-6392 is a medium-severity vulnerability affecting Broadcom's Brocade SANnav product versions prior to 2.4.0a. The vulnerability arises from the improper handling of sensitive information, specifically database passwords, which are logged in clear text within the audit logs of the local server virtual machine. This occurs when the daily data dump collector component invokes docker exec commands. These audit logs reside on the host server VM and are not managed or controlled by the SANnav application itself. Importantly, these logs are only accessible to the server administrators of the host machine and are not visible to SANnav administrators or users. The vulnerability is classified under CWE-532, which pertains to the insertion of sensitive information into log files, potentially exposing secrets to unauthorized parties with access to the host server. The CVSS v4.0 base score is 6.7, reflecting a medium severity level, with an attack vector limited to local access (AV:L), requiring low attack complexity (AC:L), no privileges required for the attacker (PR:H indicates high privileges required, so this is a bit contradictory but likely means the attacker needs high privileges), no user interaction, and high impact on availability. No known exploits are currently reported in the wild. The vulnerability does not affect the confidentiality, integrity, or availability of the SANnav application directly but poses a risk if an attacker gains access to the host server and can read these logs, potentially allowing credential compromise and subsequent lateral movement or privilege escalation within the environment.
Potential Impact
For European organizations utilizing Brocade SANnav versions prior to 2.4.0a, this vulnerability presents a risk primarily to the confidentiality of database credentials. If an attacker or malicious insider gains administrative access to the host server VM, they could extract database passwords from the audit logs, potentially compromising the SAN infrastructure. This could lead to unauthorized access to storage area networks (SANs), data exfiltration, or disruption of critical storage services. Given that SANnav is used to manage and monitor SAN environments, compromise of these credentials could undermine the integrity and availability of storage resources, impacting business-critical applications and data. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government agencies across Europe, may face increased risk due to the sensitivity of the data stored on SANs. However, since the logs are not accessible remotely or by SANnav users, the threat is mitigated by the need for local administrative access, limiting the attack surface to insiders or attackers who have already breached the host server.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should prioritize upgrading Brocade SANnav to version 2.4.0a or later, where this logging issue has been addressed. Until the update can be applied, organizations should restrict and monitor administrative access to the host server VM to prevent unauthorized users from accessing audit logs. Implement strict access controls and auditing on the host server to detect any suspicious activity related to log file access. Additionally, consider encrypting audit logs at the filesystem level or using secure logging mechanisms that prevent sensitive information from being stored in clear text. Regularly review and rotate database credentials to limit the window of exposure if credentials are compromised. Network segmentation and isolation of management servers can further reduce the risk of lateral movement by attackers who gain initial access. Finally, conduct security awareness training for administrators to highlight the importance of protecting host server environments and sensitive log data.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- brocade
- Date Reserved
- 2025-06-20T03:43:47.511Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6870311ba83201eaacaa0c15
Added to database: 7/10/2025, 9:31:07 PM
Last enriched: 7/10/2025, 9:46:11 PM
Last updated: 7/11/2025, 4:27:19 AM
Views: 4
Related Threats
CVE-2025-50125: CWE-918 Server-Side Request Forgery (SSRF) in Schneider Electric EcoStruxure IT Data Center Expert
MediumCVE-2025-50124: CWE-269 Improper Privilege Management in Schneider Electric EcoStruxure IT Data Center Expert
HighPatch, track, repeat
MediumPre-Auth SQL Injection to RCE - Fortinet FortiWeb Fabric Connector (CVE-2025-25257) - watchTowr Labs
MediumCVE-2025-50123: CWE-94 Improper Control of Generation of Code ('Code Injection') in Schneider Electric EcoStruxure IT Data Center Expert
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.