Cybersecurity researchers have uncovered a critical security flaw in Securden Unified PAM that allows attackers to completely bypass authentication mechanisms and gain unauthorized access to sensitive credentials and system functions.
The vulnerability, designated as CVE-2025-53118 with a CVSS score of 9.4, represents one of four serious security issues discovered in the privileged access management solution that could enable complete system compromise.
The authentication bypass vulnerability exploits a fundamental flaw in how Securden Unified PAM handles session management.
Attackers can navigate to the /thirdparty-access endpoint to automatically receive a securdensession cookie, which can then be leveraged to obtain CSRF tokens and securdenpost cookies through the /get_csrf_token URL.
This cookie-based authentication mechanism fails to properly validate user authorization, instead only checking for the presence of these session tokens.
The discovery emerged during continuous red teaming exercises conducted through Rapid7’s Vector Command service.
Rapid7 analysts identified the vulnerabilities while performing routine security assessments, quickly recognizing the severe implications for organizations relying on the PAM solution for credential management and access control.
Beyond the primary authentication bypass, researchers uncovered three additional vulnerabilities that compound the security risk.
These include an unauthenticated unrestricted file upload flaw (CVE-2025-53119), a path traversal vulnerability in file upload functionality (CVE-2025-53120), and a shared SSH key infrastructure issue (CVE-2025-6737) that affects Securden’s cloud gateway services.
Exploitation Mechanism and Technical Analysis
The authentication bypass vulnerability demonstrates particularly sophisticated attack vectors through its exploitation of backup functionality.
Once attackers obtain the necessary session tokens, they can access the /configure_schedule endpoint to trigger encrypted password backups with administrator privileges.
The attack leverages the SCHEDULE_ENCRYPTED_HTML_BACKUP type to extract complete credential databases, requiring only that a superadmin account exists within the system.
Technical analysis reveals that successful exploitation requires removing the X-Requested-With header during authentication bypass requests, as the server returns errors when this header is present.
Attackers can specify custom backup locations, including external SMB shares or the application’s static webroot folder, enabling direct download of encrypted credential files.
The backup filenames follow predictable patterns based on backup timestamps, making them susceptible to brute-force discovery attacks.
The vulnerability’s impact extends beyond simple credential theft. When combined with the file upload vulnerabilities, attackers can achieve complete remote code execution by overwriting system files like postgresBackup.bat with malicious PowerShell commands.
This multi-stage attack chain transforms what initially appears as an authentication issue into full system compromise capability.
| CVE ID | Vulnerability Name | CVSS Score | Impact | Affected Versions |
|---|---|---|---|---|
| CVE-2025-53118 | Authentication Bypass | 9.4 | Bypass authentication to access backup functions and steal passwords/secrets | 9.0.x through 11.3.1 |
| CVE-2025-53119 | Unauthenticated Unrestricted File Upload | 7.5 | Upload malicious binaries and scripts without authentication | 9.0.x through 11.3.1 |
| CVE-2025-53120 | Path Traversal In File Upload | 9.4 | Remote code execution via path traversal in file uploads | 9.0.x through 11.3.1 |
| CVE-2025-6737 | Shared SSH Key and Cloud Infrastructure | 7.2 | Access gateway server with low privileges using shared credentials | 9.0.x through 11.3.1 |
Securden has addressed these vulnerabilities in version 11.4.4, emphasizing the critical importance of immediate updates for all affected installations to prevent potential exploitation of these serious security flaws.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
