CVE-2025-1415

A low-privileged user is able to obtain information about tasks executed on devices controlled by Proget MDM (Mobile Device Management), as well as details of the devices like their UUIDs needed for exploitation of CVE-2025-1416. In order to perform the attack, one has to know a task_id, but since it's a low integer and there is no limit of requests an attacker can perform to a vulnerable endpoint, the task_id might be simply brute forced. This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite).

CVSS

No CVSS.

References

Link	Resource
https://cert.pl/en/posts/2025/05/CVE-2025-1415
https://proget.pl/en/mobile-device-management/

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Un usuario con pocos privilegios puede obtener información sobre las tareas ejecutadas en dispositivos controlados por Proget MDM (Gestión de Dispositivos Móviles), así como detalles de los dispositivos, como sus UUID, necesarios para explotar la vulnerabilidad CVE-2025-1416. Para ejecutar el ataque, se necesita conocer un task_id, pero dado que es un entero bajo y no hay límite de solicitudes que un atacante puede realizar a un endpoint vulnerable, el task_id podría ser simplemente atacado por fuerza bruta. Este problema se ha corregido en la versión 2.17.5 de Konsola Proget (componente servidor de la suite MDM).

21 May 2025, 12:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-21 12:16

Updated : 2026-04-15 00:35

NVD link : CVE-2025-1415

Mitre link : CVE-2025-1415

CVE.ORG link : CVE-2025-1415

JSON object : View

Products Affected

No product.

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2025-1415", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cvd@cert.pl", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-21T12:16:20.817", "references": [{"url": "https://cert.pl/en/posts/2025/05/CVE-2025-1415", "source": "cvd@cert.pl"}, {"url": "https://proget.pl/en/mobile-device-management/", "source": "cvd@cert.pl"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "cvd@cert.pl", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "A low-privileged user is able to obtain information about tasks executed on devices controlled by Proget MDM (Mobile Device Management), as well as details of the devices like their UUIDs needed for exploitation of CVE-2025-1416.\n\nIn order to perform the attack, one has to know a task_id, but since it's a low integer and there is no limit of requests an attacker can perform to a vulnerable endpoint, the task_id might be simply brute forced.\n\nThis issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite)."}, {"lang": "es", "value": "Un usuario con pocos privilegios puede obtener informaci\u00f3n sobre las tareas ejecutadas en dispositivos controlados por Proget MDM (Gesti\u00f3n de Dispositivos M\u00f3viles), as\u00ed como detalles de los dispositivos, como sus UUID, necesarios para explotar la vulnerabilidad CVE-2025-1416. Para ejecutar el ataque, se necesita conocer un task_id, pero dado que es un entero bajo y no hay l\u00edmite de solicitudes que un atacante puede realizar a un endpoint vulnerable, el task_id podr\u00eda ser simplemente atacado por fuerza bruta. Este problema se ha corregido en la versi\u00f3n 2.17.5 de Konsola Proget (componente servidor de la suite MDM)."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "cvd@cert.pl"}