PT-2025-9092 · Cyberark · Cyberark Endpoint Privilege Manager
Karol Mazurek
+3
·
Published
2025-02-28
·
Updated
2025-03-04
·
CVE-2025-22273
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
CyberArk Endpoint Privilege Manager in SaaS version 24.7.1
Description
The application does not limit the number or frequency of user interactions, such as the number of incoming requests. At the "/EPMUI/VfManager.asmx/ChangePassword" endpoint, it is possible to perform a brute force attack on the current password in use.
Recommendations
For CyberArk Endpoint Privilege Manager in SaaS version 24.7.1, consider implementing rate limiting on the "/EPMUI/VfManager.asmx/ChangePassword" endpoint to prevent brute force attacks until a patch is available. As a temporary workaround, restrict access to this endpoint to minimize the risk of exploitation.
Fix
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cyberark Endpoint Privilege Manager