CVE-2025-29556

Name of the Vulnerable Software and Affected Versions ExaGrid EX10 versions 6.3 through 7.0.1.P08

Description ExaGrid EX10 versions 6.3 through 7.0.1.P08 are susceptible to an incorrect access control issue. Starting with version 6.3, ExaGrid implemented restrictions to prevent users with the Admin role from creating or modifying users with the Security Officer role without proper authorization. However, a flaw in the account creation process allows an attacker to bypass these restrictions through manipulation of API requests. An attacker possessing Admin access can intercept and modify the API request during user creation, altering parameters to assign the new account to the ExaGrid Security Officers group without the necessary approval. The vulnerability involves manipulating API requests during the user creation process.

Recommendations ExaGrid EX10 version 6.3: Restrict access to the user creation API endpoint. ExaGrid EX10 versions 6.3 through 7.0.1.P08: Carefully review and validate all API requests related to user creation and modification to ensure proper authorization checks are enforced.