Common Weakness Enumeration

CWE-426

Allowed-with-Review

Untrusted Search Path

Abstraction: Base · Status: Stable

The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

892 vulnerabilities reference this CWE, most recent first.

CVE-2025-49124 (GCVE-0-2025-49124)

Vulnerability from cvelistv5 – Published: 2025-06-16 14:22 – Updated: 2025-10-29 14:25
VLAI
Title
Apache Tomcat: exe side-loading via icalcs.exe in Tomcat installer for Windows
Summary
Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
Apache Software Foundation Apache Tomcat Affected: 11.0.0-M1 , ≤ 11.0.7 (semver)
Affected: 10.1.0 , ≤ 10.1.41 (semver)
Affected: 9.0.23 , ≤ 9.0.105 (semver)
Affected: 8.5.44 , ≤ 8.5.100 (semver)
Affected: 7.0.95 , ≤ 7.0.109 (semver)
Unknown: 10.0.0-M1 , ≤ 10.0.27 (semver)
Create a notification for this product.
Credits
T. Doğa Gelişli https://linkedin.com/in/tdogagelisli/
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-06-16T20:03:24.388Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/06/16/3"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 8.4,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-49124",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-17T14:03:41.847617Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-29T14:25:42.691Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.7",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.41",
              "status": "affected",
              "version": "10.1.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.105",
              "status": "affected",
              "version": "9.0.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "affected",
              "version": "8.5.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.109",
              "status": "affected",
              "version": "7.0.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.0.27",
              "status": "unknown",
              "version": "10.0.0-M1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "T. Do\u011fa Geli\u015fli https://linkedin.com/in/tdogagelisli/"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUntrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105.\u003cbr\u003eThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109.\u0026nbsp;Other EOL versions may also be affected.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105.\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109.\u00a0Other EOL versions may also be affected.\n\n\nUsers are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "CWE-426 Untrusted Search Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-29T11:44:28.762Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/lnow7tt2j6hb9kcpkggx32ht6o90vqzv"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: exe side-loading via icalcs.exe in Tomcat installer for Windows",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-49124",
    "datePublished": "2025-06-16T14:22:16.288Z",
    "dateReserved": "2025-06-02T08:34:46.719Z",
    "dateUpdated": "2025-10-29T14:25:42.691Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-43079 (GCVE-0-2025-43079)

Vulnerability from cvelistv5 – Published: 2025-11-10 17:10 – Updated: 2026-03-18 17:10
VLAI
Title
Local Privilege Escalation via qagent_uninstall.sh Qualys Cloud Agents
Summary
The Qualys Cloud Agent included a bundled uninstall script (qagent_uninstall.sh), specific to Mac and Linux supported versions that invoked multiple system commands without using absolute paths and without sanitizing the $PATH environment. If the uninstall script is executed with elevated privileges (e.g., via sudo) in an environment where $PATH has been manipulated, an attacker with root/sudo privileges could cause malicious executables to be run in place of the intended system binaries. This behavior can be leveraged for local privilege escalation and arbitrary command execution under elevated privileges.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
Date Public
2025-11-10 16:32
Credits
Brent Zaltsman (AfricanHipp0)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-43079",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-11T04:55:38.944965Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T17:47:03.045Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux"
          ],
          "product": "Qualys Agent",
          "vendor": "Qualys Inc",
          "versions": [
            {
              "lessThan": "7.2.3",
              "status": "affected",
              "version": "5.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "platforms": [
            "BSD"
          ],
          "product": "Qualys Agent",
          "vendor": "Qualys Inc",
          "versions": [
            {
              "lessThan": "7.1.0",
              "status": "affected",
              "version": "3.12",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "platforms": [
            "IBM AIX"
          ],
          "product": "Qualys Agent",
          "vendor": "Qualys Inc",
          "versions": [
            {
              "lessThan": "6.0.0",
              "status": "affected",
              "version": "4.17",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "MacOS",
            "x86",
            "64 bit"
          ],
          "product": "Qualys Agent",
          "vendor": "Qualys Inc",
          "versions": [
            {
              "lessThan": "6.2.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "MacOS (M Series Silicon CPU)"
          ],
          "product": "Qualys Agent",
          "vendor": "Qualys Inc",
          "versions": [
            {
              "lessThan": "6.3.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "zLinux"
          ],
          "product": "Qualys Agent",
          "vendor": "Qualys Inc",
          "versions": [
            {
              "lessThan": "3.31.1-8",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "PPC"
          ],
          "product": "Qualys Agent",
          "vendor": "Qualys Inc",
          "versions": [
            {
              "lessThan": "3.21.1-6",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "CoreOS"
          ],
          "product": "Qualys Agent",
          "vendor": "Qualys Inc",
          "versions": [
            {
              "lessThan": "4.2.6",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Bottlerocket Intel"
          ],
          "product": "Qualys Agent",
          "vendor": "Qualys Inc",
          "versions": [
            {
              "lessThan": "5.0.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "GoogleCOS"
          ],
          "product": "Qualys Agent",
          "vendor": "Qualys Inc",
          "versions": [
            {
              "lessThan": "5.0.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Bottlerocket",
            "ARM"
          ],
          "product": "Qualys Agent",
          "vendor": "Qualys Inc",
          "versions": [
            {
              "lessThan": "6.0.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\u003cdiv\u003e\u003col\u003e\u003cli\u003e\u003cp\u003eLocal access to the system (the attacker must be local).\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eAbility to run sudo or root (the uninstall script requires sudo at minimum for execution or must be run as root).\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eAbility to modify $PATH (temporarily in the shell session used to launch the uninstall script, or persistently via writable shell configuration files such as ~/.bashrc, ~/.zshrc).\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eExecution of qagent_uninstall.sh within the compromised environment where $PATH points to attacker-controlled locations.\u003c/p\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003eBecause exploitation requires the ability to run sudo (or be root), the vulnerability is not remotely exploitable by default \u2014 it relies on local privilege and environment manipulation, but the consequences are elevated (execution under high privilege). \u003c/p\u003e\u003c/div\u003e\u003c/div\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "*  Local access to the system (the attacker must be local).\n\n\n  *  Ability to run sudo or root (the uninstall script requires sudo at minimum for execution or must be run as root).\n\n\n  *  Ability to modify $PATH (temporarily in the shell session used to launch the uninstall script, or persistently via writable shell configuration files such as ~/.bashrc, ~/.zshrc).\n\n\n  *  Execution of qagent_uninstall.sh within the compromised environment where $PATH points to attacker-controlled locations.\n\n\n\n\n\n\nBecause exploitation requires the ability to run sudo (or be root), the vulnerability is not remotely exploitable by default \u2014 it relies on local privilege and environment manipulation, but the consequences are elevated (execution under high privilege)."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:linux:*:*:*:*:*",
                  "versionEndExcluding": "7.2.3",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:bsd:*:*:*:*:*",
                  "versionEndExcluding": "7.1.0",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:ibm_aix:*:*:*:*:*",
                  "versionEndExcluding": "6.0.0",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:macos:*:*:*:*:*",
                  "versionEndExcluding": "6.2.1",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:x86:*:*:*:*:*",
                  "versionEndExcluding": "6.2.1",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:64_bit:*:*:*:*:*",
                  "versionEndExcluding": "6.2.1",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:macos_m_series_silicon_cpu_:*:*:*:*:*",
                  "versionEndExcluding": "6.3.1",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:zlinux:*:*:*:*:*",
                  "versionEndExcluding": "3.31.1-8",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:ppc:*:*:*:*:*",
                  "versionEndExcluding": "3.21.1-6",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:coreos:*:*:*:*:*",
                  "versionEndExcluding": "4.2.6",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:bottlerocket_intel:*:*:*:*:*",
                  "versionEndExcluding": "5.0.3",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:googlecos:*:*:*:*:*",
                  "versionEndExcluding": "5.0.2",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:bottlerocket:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:arm:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Brent Zaltsman (AfricanHipp0)"
        }
      ],
      "datePublic": "2025-11-10T16:32:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan\u003eThe Qualys Cloud Agent included a bundled uninstall script (\u003c/span\u003e\u003cspan\u003eqagent_uninstall.sh\u003c/span\u003e\u003cspan\u003e), specific to Mac and Linux supported versions that invoked multiple system commands \u003c/span\u003e\u003cspan\u003ewithout using absolute paths and without sanitizing the \u003c/span\u003e\u003cspan\u003e$PATH\u003c/span\u003e\u003cspan\u003e environment\u003c/span\u003e\u003cspan\u003e. If the uninstall script is executed with elevated privileges (e.g., via \u003c/span\u003e\u003cspan\u003esudo\u003c/span\u003e\u003cspan\u003e) in an environment where \u003c/span\u003e\u003cspan\u003e$PATH\u003c/span\u003e\u003cspan\u003e has been manipulated, an attacker with \u003c/span\u003e\u003cspan\u003eroot\u003c/span\u003e\u003cspan\u003e/\u003c/span\u003e\u003cspan\u003esudo\u003c/span\u003e\u003cspan\u003e privileges could cause malicious executables to be run in place of the intended system binaries. This behavior can be leveraged for local privilege escalation and arbitrary command execution under elevated privileges.\u003c/span\u003e\u003cspan\u003e\u0026nbsp;\u003c/span\u003e"
            }
          ],
          "value": "The Qualys Cloud Agent included a bundled uninstall script (qagent_uninstall.sh), specific to Mac and Linux supported versions that invoked multiple system commands without using absolute paths and without sanitizing the $PATH environment. If the uninstall script is executed with elevated privileges (e.g., via sudo) in an environment where $PATH has been manipulated, an attacker with root/sudo privileges could cause malicious executables to be run in place of the intended system binaries. This behavior can be leveraged for local privilege escalation and arbitrary command execution under elevated privileges."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Escalation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "CWE-426 Untrusted Search Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-18T17:10:59.799Z",
        "orgId": "8a309ac4-d8c7-4735-9c1d-ca39c5dfbcda",
        "shortName": "Qualys"
      },
      "references": [
        {
          "url": "https://www.qualys.com/security-advisories/cve-2025-43079"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCustomers are advised to update to non-affected versions of Qualys product\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e. \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e"
            }
          ],
          "value": "Customers are advised to update to non-affected versions of Qualys product."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Local Privilege Escalation via qagent_uninstall.sh Qualys Cloud Agents",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Customers are advised to check workaround solutions listed on\u0026nbsp;\n\n\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.qualys.com/security-advisories/cve-2025-43079\"\u003ehttps://www.qualys.com/security-advisories/cve-2025-43079\u003c/a\u003e"
            }
          ],
          "value": "Customers are advised to check workaround solutions listed on\u00a0\n\n https://www.qualys.com/security-advisories/cve-2025-43079"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8a309ac4-d8c7-4735-9c1d-ca39c5dfbcda",
    "assignerShortName": "Qualys",
    "cveId": "CVE-2025-43079",
    "datePublished": "2025-11-10T17:10:31.066Z",
    "dateReserved": "2025-04-16T14:43:29.660Z",
    "dateUpdated": "2026-03-18T17:10:59.799Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40945 (GCVE-0-2025-40945)

Vulnerability from cvelistv5 – Published: 2026-07-14 09:19 – Updated: 2026-07-14 12:16
VLAI
Summary
A vulnerability has been identified in COMOS V10.4.5 (All versions < V10.4.5.0.2), COMOS V10.6 (All versions < V10.6.1), Designcenter NX (All versions < V2512.7000), Simcenter 3D (All versions < V2512.7000), Simcenter Femap V2506 (All versions < V2506.0003), Simcenter Femap V2512 (All versions < V2512.0002), Simcenter Nastran (All versions < V2606), Simcenter STAR-CCM+ (All versions < V2606), Solid Edge SE2025 (All versions < V225.0 Update 13), Solid Edge SE2026 (All versions < V226.0 Update 04), Teamcenter Visualization V2412 (All versions < V2412.0012), Teamcenter Visualization V2506 (All versions < V2506.0009), Teamcenter Visualization V2512 (All versions < V2512.2605), Tecnomatix Plant Simulation V2404 (All versions < V2404.0022), Tecnomatix Plant Simulation V2504 (All versions < V2504.0010), Tecnomatix Process Simulate (All versions < V2606). Untrusted search path in IAM Client SDK may allow an authenticated user to potentially enable escalation of privilege via local access.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
Siemens COMOS V10.4.5 Affected: 0 , < V10.4.5.0.2 (custom)
Create a notification for this product.
Siemens COMOS V10.6 Affected: 0 , < V10.6.1 (custom)
Create a notification for this product.
Siemens Designcenter NX Affected: 0 , < V2512.7000 (custom)
Create a notification for this product.
Siemens Simcenter 3D Affected: 0 , < V2512.7000 (custom)
Create a notification for this product.
Siemens Simcenter Femap V2506 Affected: 0 , < V2506.0003 (custom)
Create a notification for this product.
Siemens Simcenter Femap V2512 Affected: 0 , < V2512.0002 (custom)
Create a notification for this product.
Siemens Simcenter Nastran Affected: 0 , < V2606 (custom)
Create a notification for this product.
Siemens Simcenter STAR-CCM+ Affected: 0 , < V2606 (custom)
Create a notification for this product.
Siemens Solid Edge SE2025 Affected: 0 , < V225.0 Update 13 (custom)
Create a notification for this product.
Siemens Solid Edge SE2026 Affected: 0 , < V226.0 Update 04 (custom)
Create a notification for this product.
Siemens Teamcenter Visualization V2412 Affected: 0 , < V2412.0012 (custom)
Create a notification for this product.
Siemens Teamcenter Visualization V2506 Affected: 0 , < V2506.0009 (custom)
Create a notification for this product.
Siemens Teamcenter Visualization V2512 Affected: 0 , < V2512.2605 (custom)
Create a notification for this product.
Siemens Tecnomatix Plant Simulation V2404 Affected: 0 , < V2404.0022 (custom)
Create a notification for this product.
Siemens Tecnomatix Plant Simulation V2504 Affected: 0 , < V2504.0010 (custom)
Create a notification for this product.
Siemens Tecnomatix Process Simulate Affected: 0 , < V2606 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-40945",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-14T12:16:50.783446Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-14T12:16:59.871Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "COMOS V10.4.5",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V10.4.5.0.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "COMOS V10.6",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V10.6.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Designcenter NX",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V2512.7000",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Simcenter 3D",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V2512.7000",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Simcenter Femap V2506",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V2506.0003",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Simcenter Femap V2512",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V2512.0002",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Simcenter Nastran",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V2606",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Simcenter STAR-CCM+",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V2606",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Solid Edge SE2025",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V225.0 Update 13",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Solid Edge SE2026",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V226.0 Update 04",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Teamcenter Visualization V2412",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V2412.0012",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Teamcenter Visualization V2506",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V2506.0009",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Teamcenter Visualization V2512",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V2512.2605",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Tecnomatix Plant Simulation V2404",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V2404.0022",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Tecnomatix Plant Simulation V2504",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V2504.0010",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Tecnomatix Process Simulate",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V2606",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been identified in COMOS V10.4.5 (All versions \u003c V10.4.5.0.2), COMOS V10.6 (All versions \u003c V10.6.1), Designcenter NX (All versions \u003c V2512.7000), Simcenter 3D (All versions \u003c V2512.7000), Simcenter Femap V2506 (All versions \u003c V2506.0003), Simcenter Femap V2512 (All versions \u003c V2512.0002), Simcenter Nastran (All versions \u003c V2606), Simcenter STAR-CCM+ (All versions \u003c V2606), Solid Edge SE2025 (All versions \u003c V225.0 Update 13), Solid Edge SE2026 (All versions \u003c V226.0 Update 04), Teamcenter Visualization V2412 (All versions \u003c V2412.0012), Teamcenter Visualization V2506 (All versions \u003c V2506.0009), Teamcenter Visualization V2512 (All versions \u003c V2512.2605), Tecnomatix Plant Simulation V2404 (All versions \u003c V2404.0022), Tecnomatix Plant Simulation V2504 (All versions \u003c V2504.0010), Tecnomatix Process Simulate (All versions \u003c V2606). Untrusted search path in IAM Client SDK may allow an authenticated user to potentially enable escalation of privilege via local access."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        {
          "cvssV4_0": {
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "CWE-426: Untrusted Search Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-14T09:19:08.857Z",
        "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
        "shortName": "siemens"
      },
      "references": [
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-288252.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
    "assignerShortName": "siemens",
    "cveId": "CVE-2025-40945",
    "datePublished": "2026-07-14T09:19:08.857Z",
    "dateReserved": "2025-04-16T09:06:15.879Z",
    "dateUpdated": "2026-07-14T12:16:59.871Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40909 (GCVE-0-2025-40909)

Vulnerability from cvelistv5 – Published: 2025-05-30 12:20 – Updated: 2026-04-18 14:15
VLAI
Title
Perl threads have a working directory race condition where file operations may target unintended paths
Summary
Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-689 - Permission Race Condition During Resource Copy
  • CWE-426 - Untrusted Search Path
Assigner
Impacted products
Vendor Product Version
perl perl Affected: 5.13.6 , < 5.41.13 (custom)
Create a notification for this product.
Credits
Vincent Lefevre
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-18T14:15:40.356Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/05/23/1"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/05/30/4"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/06/02/2"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/06/02/5"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/06/02/6"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/06/02/7"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/06/03/1"
          },
          {
            "url": "http://seclists.org/fulldisclosure/2025/Sep/55"
          },
          {
            "url": "http://seclists.org/fulldisclosure/2025/Sep/54"
          },
          {
            "url": "http://seclists.org/fulldisclosure/2025/Sep/53"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00018.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "LOW",
              "baseScore": 5.9,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-40909",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-30T14:05:00.839656Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-30T14:09:50.842Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "perl",
          "product": "perl",
          "programRoutines": [
            {
              "name": "threads"
            }
          ],
          "repo": "https://github.com/perl/perl5",
          "vendor": "perl",
          "versions": [
            {
              "lessThan": "5.41.13",
              "status": "affected",
              "version": "5.13.6",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Vincent Lefevre"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Perl threads have a working directory race condition where file operations may target unintended paths.\u003cbr\u003e\u003cbr\u003eIf a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone\u0026nbsp;that handle for the new thread, which is visible from any third (or\u0026nbsp;more) thread already running. \u003cbr\u003e\u003cbr\u003eThis may lead to unintended operations\u0026nbsp;such as loading code or accessing files from unexpected locations,\u0026nbsp;which a local attacker may be able to exploit.\u003cbr\u003e\u003cbr\u003eThe bug was introduced in commit\u0026nbsp;11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6"
            }
          ],
          "value": "Perl threads have a working directory race condition where file operations may target unintended paths.\n\nIf a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone\u00a0that handle for the new thread, which is visible from any third (or\u00a0more) thread already running. \n\nThis may lead to unintended operations\u00a0such as loading code or accessing files from unexpected locations,\u00a0which a local attacker may be able to exploit.\n\nThe bug was introduced in commit\u00a011a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-689",
              "description": "CWE-689 Permission Race Condition During Resource Copy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "CWE-426 Untrusted Search Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-05T13:24:00.827Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/Perl/perl5/commit/918bfff86ca8d6d4e4ec5b30994451e0bd74aba9.patch"
        },
        {
          "tags": [
            "mailing-list",
            "exploit"
          ],
          "url": "https://www.openwall.com/lists/oss-security/2025/05/22/2"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/Perl/perl5/issues/23010"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098226"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://github.com/Perl/perl5/issues/10387"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://perldoc.perl.org/5.14.0/perl5136delta#Directory-handles-not-copied-to-threads"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://github.com/Perl/perl5/commit/11a11ecf4bea72b17d250cfb43c897be1341861e"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update perl to an unaffected version, or apply the patch provided in the references section."
            }
          ],
          "value": "Update perl to an unaffected version, or apply the patch provided in the references section."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Perl threads have a working directory race condition where file operations may target unintended paths",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2025-40909",
    "datePublished": "2025-05-30T12:20:11.237Z",
    "dateReserved": "2025-04-16T09:05:34.360Z",
    "dateUpdated": "2026-04-18T14:15:40.356Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39666 (GCVE-0-2025-39666)

Vulnerability from cvelistv5 – Published: 2026-04-07 12:09 – Updated: 2026-04-07 13:18
VLAI
Title
omd: Local privilege escalation when executing omd commands as root
Summary
Local privilege escalation in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0b3 allows a site user to escalate their privileges to root, by manipulating files in the site context that are processed when the `omd` administrative command is run by root.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-426 - Untrusted Search Path
  • CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
Assigner
References
URL Tags
https://checkmk.com/werk/18891 vendor-advisory
Impacted products
Vendor Product Version
Checkmk GmbH Checkmk Affected: 2.2.0 (semver)
Affected: 2.3.0 , < 2.3.0p46 (semver)
Affected: 2.4.0 , < 2.4.0p25 (semver)
Affected: 2.5.0b1 , < 2.5.0b3 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-39666",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-07T13:18:12.687066Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-07T13:18:19.609Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Checkmk",
          "vendor": "Checkmk GmbH",
          "versions": [
            {
              "status": "affected",
              "version": "2.2.0",
              "versionType": "semver"
            },
            {
              "lessThan": "2.3.0p46",
              "status": "affected",
              "version": "2.3.0",
              "versionType": "semver"
            },
            {
              "lessThan": "2.4.0p25",
              "status": "affected",
              "version": "2.4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "2.5.0b3",
              "status": "affected",
              "version": "2.5.0b1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:*:*:*:*:*:*:*",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.3.0p46",
                  "versionStartIncluding": "2.3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.4.0p25",
                  "versionStartIncluding": "2.4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.5.0b3",
                  "versionStartIncluding": "2.5.0b1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Local privilege escalation in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0b3 allows a site user to escalate their privileges to root, by manipulating files in the site context that are processed when the `omd` administrative command is run by root."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-471",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-471: Search Order Hijacking"
            }
          ]
        },
        {
          "capecId": "CAPEC-17",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-17: Accessing, Modifying or Executing Executable Files"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "CWE-426: Untrusted Search Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-829",
              "description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-07T12:09:07.609Z",
        "orgId": "f7d6281c-4801-44ce-ace2-493291dedb0f",
        "shortName": "Checkmk"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://checkmk.com/werk/18891"
        }
      ],
      "title": "omd: Local privilege escalation when executing omd commands as root",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f7d6281c-4801-44ce-ace2-493291dedb0f",
    "assignerShortName": "Checkmk",
    "cveId": "CVE-2025-39666",
    "datePublished": "2026-04-07T12:09:07.609Z",
    "dateReserved": "2025-04-16T07:07:38.257Z",
    "dateUpdated": "2026-04-07T13:18:19.609Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-31480 (GCVE-0-2025-31480)

Vulnerability from cvelistv5 – Published: 2025-04-04 14:49 – Updated: 2025-04-04 14:57
VLAI
Title
aiven-extras allows PostgreSQL Privilege Escalation through format function
Summary
aiven-extras is a PostgreSQL extension. This is a privilege escalation vulnerability, allowing elevation to superuser inside PostgreSQL databases that use the aiven-extras package. The vulnerability leverages the format function not being schema-prefixed. Affected users should install 1.1.16 and ensure they run the latest version issuing ALTER EXTENSION aiven_extras UPDATE TO '1.1.16' after installing it. This needs to happen in each database aiven_extras has been installed in.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
aiven aiven-extras Affected: < 1.1.16
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-31480",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-04T14:57:39.462536Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-04T14:57:54.321Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "aiven-extras",
          "vendor": "aiven",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.1.16"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "aiven-extras is a PostgreSQL extension. This is a privilege escalation vulnerability, allowing elevation to superuser inside PostgreSQL databases that use the aiven-extras package. The vulnerability leverages the format function not being schema-prefixed. Affected users should install 1.1.16 and ensure they run the latest version issuing ALTER EXTENSION aiven_extras UPDATE TO \u00271.1.16\u0027 after installing it. This needs to happen in each database aiven_extras has been installed in."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "CWE-426: Untrusted Search Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-04T14:49:30.863Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/aiven/aiven-extras/security/advisories/GHSA-33xh-jqgf-6627",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/aiven/aiven-extras/security/advisories/GHSA-33xh-jqgf-6627"
        },
        {
          "name": "https://github.com/aiven/aiven-extras/commit/77b5f19a0c1d196bc741ff5c774f85fe7ca3063b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aiven/aiven-extras/commit/77b5f19a0c1d196bc741ff5c774f85fe7ca3063b"
        }
      ],
      "source": {
        "advisory": "GHSA-33xh-jqgf-6627",
        "discovery": "UNKNOWN"
      },
      "title": "aiven-extras allows PostgreSQL Privilege Escalation through format function"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-31480",
    "datePublished": "2025-04-04T14:49:30.863Z",
    "dateReserved": "2025-03-28T13:36:51.297Z",
    "dateUpdated": "2025-04-04T14:57:54.321Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-30407 (GCVE-0-2025-30407)

Vulnerability from cvelistv5 – Published: 2025-03-26 21:32 – Updated: 2026-02-26 19:09
VLAI
Summary
Local privilege escalation due to a binary hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 39713.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Acronis Acronis Cyber Protect Cloud Agent Affected: unspecified , < 39713 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-30407",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-24T03:55:19.722136Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T19:09:10.614Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows"
          ],
          "product": "Acronis Cyber Protect Cloud Agent",
          "vendor": "Acronis",
          "versions": [
            {
              "lessThan": "39713",
              "status": "affected",
              "version": "unspecified",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Local privilege escalation due to a binary hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 39713."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "CWE-426",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-26T21:32:30.085Z",
        "orgId": "73dc0fef-1c66-4a72-9d2d-0a0f4012c175",
        "shortName": "Acronis"
      },
      "references": [
        {
          "name": "SEC-8414",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security-advisory.acronis.com/advisories/SEC-8414"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "73dc0fef-1c66-4a72-9d2d-0a0f4012c175",
    "assignerShortName": "Acronis",
    "cveId": "CVE-2025-30407",
    "datePublished": "2025-03-26T21:32:30.085Z",
    "dateReserved": "2025-03-21T21:04:39.510Z",
    "dateUpdated": "2026-02-26T19:09:10.614Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-30399 (GCVE-0-2025-30399)

Vulnerability from cvelistv5 – Published: 2025-06-13 01:08 – Updated: 2026-02-20 16:00
VLAI
Title
.NET and Visual Studio Remote Code Execution Vulnerability
Summary
Untrusted search path in .NET and Visual Studio allows an unauthorized attacker to execute code over a network.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Date Public
2025-06-10 07:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-30399",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-13T15:46:01.058158Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-13T15:46:09.476Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": ".NET 8.0",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "8.0.17",
              "status": "affected",
              "version": "8.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": ".NET 9.0",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "9.0.6",
              "status": "affected",
              "version": "9.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Microsoft Visual Studio 2022 version 17.10",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "17.10.16",
              "status": "affected",
              "version": "17.10.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Microsoft Visual Studio 2022 version 17.12",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "17.12.9",
              "status": "affected",
              "version": "17.12.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Microsoft Visual Studio 2022 version 17.14",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "17.14.5",
              "status": "affected",
              "version": "17.14.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Microsoft Visual Studio 2022 version 17.8",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "17.8.22",
              "status": "affected",
              "version": "17.8.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "PowerShell 7.4",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "7.4.11",
              "status": "affected",
              "version": "7.4.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "PowerShell 7.5",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "7.5.2",
              "status": "affected",
              "version": "7.5.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:powershell:*:-:*:*:*:*:*:*",
                  "versionEndExcluding": "7.4.11",
                  "versionStartIncluding": "7.4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:powershell:*:-:*:*:*:*:*:*",
                  "versionEndExcluding": "7.5.2",
                  "versionStartIncluding": "7.5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "8.0.17",
                  "versionStartIncluding": "8.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "9.0.6",
                  "versionStartIncluding": "9.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "17.12.9",
                  "versionStartIncluding": "17.12.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "17.8.22",
                  "versionStartIncluding": "17.8.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "17.10.16",
                  "versionStartIncluding": "17.10.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "17.14.5",
                  "versionStartIncluding": "17.14.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2025-06-10T07:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Untrusted search path in .NET and Visual Studio allows an unauthorized attacker to execute code over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "CWE-426: Untrusted Search Path",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-20T16:00:32.339Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": ".NET and Visual Studio Remote Code Execution Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30399"
        }
      ],
      "title": ".NET and Visual Studio Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2025-30399",
    "datePublished": "2025-06-13T01:08:00.208Z",
    "dateReserved": "2025-03-21T19:09:29.816Z",
    "dateUpdated": "2026-02-20T16:00:32.339Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-27743 (GCVE-0-2025-27743)

Vulnerability from cvelistv5 – Published: 2025-04-08 17:23 – Updated: 2026-02-13 19:32
VLAI
Title
Microsoft System Center Elevation of Privilege Vulnerability
Summary
Untrusted search path in System Center allows an authorized attacker to elevate privileges locally.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Microsoft System Center Data Protection Manager 2019 Affected: -
Create a notification for this product.
Microsoft System Center Data Protection Manager 2022 Affected: -
Create a notification for this product.
Microsoft System Center Data Protection Manager 2025 Affected: -
Create a notification for this product.
Microsoft System Center Operations Manager 2019 Affected: -
Create a notification for this product.
Microsoft System Center Operations Manager 2022 Affected: -
Create a notification for this product.
Microsoft System Center Operations Manager 2025 Affected: -
Create a notification for this product.
Microsoft System Center Orchestrator 2019 Affected: -
Create a notification for this product.
Microsoft System Center Orchestrator 2022 Affected: -
Create a notification for this product.
Microsoft System Center Orchestrator 2025 Affected: -
Create a notification for this product.
Microsoft System Center Service Manager 2019 Affected: -
Create a notification for this product.
Microsoft System Center Service Manager 2022 Affected: -
Create a notification for this product.
Microsoft System Center Service Manager 2025 Affected: -
Create a notification for this product.
Microsoft System Center Virtual Machine Manager 2019 Affected: -
Create a notification for this product.
Microsoft System Center Virtual Machine Manager 2022 Affected: -
Create a notification for this product.
Microsoft System Center Virtual Machine Manager 2025 Affected: -
Create a notification for this product.
Date Public
2025-04-08 07:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-27743",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-08T19:57:39.876585Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-08T19:57:50.616Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "System Center Data Protection Manager 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "product": "System Center Data Protection Manager 2022",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "product": "System Center Data Protection Manager 2025",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "product": "System Center Operations Manager 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "product": "System Center Operations Manager 2022",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "product": "System Center Operations Manager 2025",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "product": "System Center Orchestrator 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "product": "System Center Orchestrator 2022",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "product": "System Center Orchestrator 2025",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "product": "System Center Service Manager 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "product": "System Center Service Manager 2022",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "product": "System Center Service Manager 2025",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "product": "System Center Virtual Machine Manager 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "product": "System Center Virtual Machine Manager 2022",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "product": "System Center Virtual Machine Manager 2025",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:system_center_virtual_machine_manager_2022:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:system_center_virtual_machine_manager_2019:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:system_center_virtual_machine_manager_2025:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:system_center_data_protection_manager_2025:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:system_center_data_protection_manager_2022:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:system_center_data_protection_manager_2019:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:system_center_orchestrator_2019:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:system_center_orchestrator_2022:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:system_center_orchestrator_2025:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:system_center_service_manager_2019:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:system_center_service_manager_2022:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:system_center_service_manager_2025:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:system_center_operations_manager_2019:*:-:*:*:*:*:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:system_center_operations_manager_2022:*:-:*:*:*:*:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:system_center_operations_manager_2025:*:-:*:*:*:*:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2025-04-08T07:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Untrusted search path in System Center allows an authorized attacker to elevate privileges locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "CWE-426: Untrusted Search Path",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-13T19:32:43.265Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft System Center Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-27743"
        }
      ],
      "title": "Microsoft System Center Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2025-27743",
    "datePublished": "2025-04-08T17:23:25.628Z",
    "dateReserved": "2025-03-06T04:26:08.553Z",
    "dateUpdated": "2026-02-13T19:32:43.265Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-27167 (GCVE-0-2025-27167)

Vulnerability from cvelistv5 – Published: 2025-03-11 18:00 – Updated: 2025-03-11 18:31
VLAI
Title
Illustrator | Untrusted Search Path (CWE-426)
Summary
Illustrator versions 29.2.1, 28.7.4 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute their own programs, access unauthorized data files, or modify configuration in unexpected ways. If the application uses a search path to locate critical resources such as programs, then an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. The problem extends to any type of critical resource that the application trusts.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-426 - Untrusted Search Path (CWE-426)
Assigner
References
Impacted products
Vendor Product Version
Adobe Illustrator Affected: 0 , ≤ 28.7.4 (semver)
Create a notification for this product.
Date Public
2025-03-11 17:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-27167",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-11T18:28:42.085246Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-11T18:31:11.430Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Illustrator",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "28.7.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2025-03-11T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Illustrator versions 29.2.1, 28.7.4 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute their own programs, access unauthorized data files, or modify configuration in unexpected ways. If the application uses a search path to locate critical resources such as programs, then an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. The problem extends to any type of critical resource that the application trusts."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "availabilityRequirement": "NOT_DEFINED",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "confidentialityRequirement": "NOT_DEFINED",
            "environmentalScore": 7.8,
            "environmentalSeverity": "HIGH",
            "exploitCodeMaturity": "NOT_DEFINED",
            "integrityImpact": "HIGH",
            "integrityRequirement": "NOT_DEFINED",
            "modifiedAttackComplexity": "LOW",
            "modifiedAttackVector": "LOCAL",
            "modifiedAvailabilityImpact": "HIGH",
            "modifiedConfidentialityImpact": "HIGH",
            "modifiedIntegrityImpact": "HIGH",
            "modifiedPrivilegesRequired": "NONE",
            "modifiedScope": "UNCHANGED",
            "modifiedUserInteraction": "REQUIRED",
            "privilegesRequired": "NONE",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "UNCHANGED",
            "temporalScore": 7.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "Untrusted Search Path (CWE-426)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-11T18:00:29.239Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://helpx.adobe.com/security/products/illustrator/apsb25-17.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Illustrator | Untrusted Search Path (CWE-426)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2025-27167",
    "datePublished": "2025-03-11T18:00:29.239Z",
    "dateReserved": "2025-02-19T22:28:19.017Z",
    "dateUpdated": "2025-03-11T18:31:11.430Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation
Architecture and Design Implementation

Strategy: Attack Surface Reduction

Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.

Mitigation
Implementation

When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Mitigation
Implementation

Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.

Mitigation
Implementation

Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory.

Mitigation
Implementation

Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.

CAPEC-38: Leveraging/Manipulating Configuration File Search Paths

This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.