PT-2025-9092 · Cyberark · Cyberark Endpoint Privilege Manager

Karol Mazurek

Publicado

2025-02-28

Atualizado

2025-03-04

CVE-2025-22273

CVSS v4.0

9.3

Crítica

Vetor

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions CyberArk Endpoint Privilege Manager in SaaS version 24.7.1

Description The application does not limit the number or frequency of user interactions, such as the number of incoming requests. At the "/EPMUI/VfManager.asmx/ChangePassword" endpoint, it is possible to perform a brute force attack on the current password in use.

Recommendations For CyberArk Endpoint Privilege Manager in SaaS version 24.7.1, consider implementing rate limiting on the "/EPMUI/VfManager.asmx/ChangePassword" endpoint to prevent brute force attacks until a patch is available. As a temporary workaround, restrict access to this endpoint to minimize the risk of exploitation.

Correção

Allocation of Resources Without Limits

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-770

Identificadores relacionados

CVE-2025-22273

Produtos afetados

Cyberark Endpoint Privilege Manager

PT-2025-9092 · Cyberark · Cyberark Endpoint Privilege Manager

CVE-2025-22273

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 13