PT-2025-22353 · Microsoft+1 · Office Excel+1
Marcin Węgłowski
·
Published
2025-05-21
·
Updated
2025-05-21
·
CVE-2025-1421
CVSS v4.0
2.4
Low
| Vector | AV:A/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Konsola Proget (server part of the MDM suite) versions prior to 2.17.5
Description
The issue arises when data provided in a request to the server during new device activation is stored in a database. High-privileged users who download this data as a CSV file and open it in tools like Microsoft Excel may inadvertently corrupt their PC, potentially allowing an attacker to gain remote access to the user's PC.
Recommendations
For versions prior to 2.17.5, update to version 2.17.5 to resolve the issue. As a temporary workaround, consider restricting access to the database and limiting the ability of high-privileged users to download and open potentially malicious CSV files. Avoid using Microsoft Excel or similar tools to open downloaded CSV files from the server until the issue is resolved.
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Konsola Proget
Office Excel