Securden Unified PAM is a comprehensive privileged access management platform that is used to store, manage, and monitor credentials across human, machine, and AI identities in a variety of environments.
Security researchers discovered four critical vulnerabilities in this platform during a series of ongoing red teaming operations using Rapid7’s Vector Command service.
These flaws, spanning authentication bypass, unrestricted file uploads, path traversal, and shared infrastructure risks, expose the platform to severe exploitation risks, potentially allowing attackers to access sensitive passwords, execute arbitrary code, or infiltrate multi-tenant gateways.
Rapid7’s team, including Principal Security Consultant Aaron Herndon and Security Consultant Marcus Chang, identified these issues during simulated adversarial testing, highlighting the platform’s susceptibility as a high-value target for threat actors seeking to compromise access controls, session recordings, and integrated Active Directory user management.
The vulnerabilities affect versions 9.0.x through 11.3.1, with patches now available in version 11.4.4 following swift coordination between Rapid7 and Securden.
Continuous Red Teaming Exercises
The most severe issue, CVE-2025-53118, rated at CVSS 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), enables unauthenticated attackers to bypass authentication mechanisms by manipulating session cookies and CSRF tokens obtained from specific endpoints like /thirdparty-access and /get_csrf_token.
This bypass grants control over administrator backup functions, such as triggering encrypted password exports via the /configure_schedule endpoint with parameters like SCHEDULE_ENCRYPTED_HTML_BACKUP.
Attackers can specify custom passphrases and output locations, including remote SMB shares or the application’s /static/ webroot, facilitating the exfiltration of decrypted backups containing passwords, secrets, and session tokens.
In scenarios where the superadmin account is disabled, attackers can still force full database backups (using DATABASE_BACKUP as the schedule_type), extracting active Django session cookies for session hijacking and subsequent credential retrieval through legitimate application interfaces.
Exploitation requires omitting the X-Requested-With header to avoid server errors, and while filenames are date-based and partially guessable, this method allows repeated backups every few minutes to capture valid user sessions, amplifying the risk of impersonation attacks.
Compounding this, CVE-2025-53119 (CVSS 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and CVE-2025-53120 (CVSS 9.4: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) introduce unauthenticated unrestricted file uploads and path traversal vulnerabilities in the /accountapp/upload_web_recordings_from_api_server endpoint.
The former permits uploading arbitrary files, including malicious binaries or scripts, to the server’s web recordings directory without filetype validation, while the latter exploits traversable parameters like file_name and relative_path to overwrite critical files in configuration or web root directories.
For instance, attackers can replace default scripts such as postgresBackup.bat with reverse shell payloads, triggering remote code execution (RCE) during routine database backups.
Testing revealed these were exploitable from version 11.1.x onward, though not in 9.0.1, and combining them with the authentication bypass escalates to unauthenticated RCE, enabling privileged OS command execution on the server.
This chain underscores the platform’s inadequate input sanitization and access controls, potentially leading to complete server compromise.
Shared Infrastructure Risks
The fourth vulnerability, CVE-2025-6737 (CVSS 7.2: AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), stems from Securden’s Remote Vendor Gateway portal, which shares SSH keys, access tokens, and cloud infrastructure across multiple tenants.
Rapid7 observed reverse SSH tunnels established using a static key (tunnel-user-key.pem) to a common server (e.g., IP 18.217.245.55 on port 443), exposing internal PAM instances via shared credentials.
This multi-tenant setup allows low-privilege access to the gateway, potentially enabling cross-customer exploitation through intercepted tunnels or netstat enumeration of connected IPs.
Logs in reversetunnelcreator.log revealed foreign connections, and by monitoring file events, researchers captured the ephemeral key during service restarts, confirming the lack of isolation.
Securden, under CEO Bala Venkatramani, promptly addressed all issues in version 11.4.4, emphasizing their commitment to security through researcher collaboration.
Customers are urged to update immediately, as these flaws could facilitate ransomware deployment, data breaches, or supply chain attacks in environments relying on PAM for credential governance.
Rapid7’s disclosure aligns with their policy, reinforcing the value of continuous red teaming in identifying emergent threats before malicious exploitation.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
