CVE-2025-1417

In Proget MDM, a low-privileged user can access information about changes contained in backups of all devices managed by the MDM (Mobile Device Management). This information include user ids, email addresses, first names, last names and device UUIDs. The last one can be used for exploitation of CVE-2025-1416. Successful exploitation requires UUID of a targeted backup, which cannot be brute forced. This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite).

CVSS

No CVSS.

References

Link	Resource
https://cert.pl/en/posts/2025/05/CVE-2025-1415
https://proget.pl/en/mobile-device-management/

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) En Proget MDM, un usuario con pocos privilegios puede acceder a la información sobre los cambios contenidos en las copias de seguridad de todos los dispositivos administrados por MDM (Administración de Dispositivos Móviles). Esta información incluye identificadores de usuario, direcciones de correo electrónico, nombres, apellidos y UUID del dispositivo. Este último puede utilizarse para explotar la vulnerabilidad CVE-2025-1416. Para una explotación exitosa, se requiere el UUID de una copia de seguridad específica, que no puede forzarse. Este problema se ha corregido en la versión 2.17.5 de Konsola Proget (componente servidor de la suite MDM).

21 May 2025, 13:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-21 13:16

Updated : 2026-04-15 00:35

NVD link : CVE-2025-1417

Mitre link : CVE-2025-1417

CVE.ORG link : CVE-2025-1417

JSON object : View

Products Affected

No product.

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2025-1417", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cvd@cert.pl", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.6, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-21T13:16:01.760", "references": [{"url": "https://cert.pl/en/posts/2025/05/CVE-2025-1415", "source": "cvd@cert.pl"}, {"url": "https://proget.pl/en/mobile-device-management/", "source": "cvd@cert.pl"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "cvd@cert.pl", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "In Proget MDM, a low-privileged user can access information about changes contained in backups of all devices managed by the MDM (Mobile Device Management). This information include user ids, email addresses, first names, last names and device UUIDs. The last one can be used for exploitation of CVE-2025-1416.\n\nSuccessful exploitation requires UUID of a targeted backup, which cannot be brute forced.\u00a0\n\nThis issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite)."}, {"lang": "es", "value": "En Proget MDM, un usuario con pocos privilegios puede acceder a la informaci\u00f3n sobre los cambios contenidos en las copias de seguridad de todos los dispositivos administrados por MDM (Administraci\u00f3n de Dispositivos M\u00f3viles). Esta informaci\u00f3n incluye identificadores de usuario, direcciones de correo electr\u00f3nico, nombres, apellidos y UUID del dispositivo. Este \u00faltimo puede utilizarse para explotar la vulnerabilidad CVE-2025-1416. Para una explotaci\u00f3n exitosa, se requiere el UUID de una copia de seguridad espec\u00edfica, que no puede forzarse. Este problema se ha corregido en la versi\u00f3n 2.17.5 de Konsola Proget (componente servidor de la suite MDM)."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "cvd@cert.pl"}