ExaGrid Backup Appliance Unauthorized Creation of Security Officer Account Vulnerability
漏洞信息
漏洞名称: ExaGrid Backup Appliance Unauthorized Creation of Security Officer Account Vulnerability
漏洞编号:
- CVE: CVE-2025-29556
漏洞类型: 权限提升
漏洞等级: 高危
漏洞描述: ExaGrid Backup Appliance是一款企业级备份解决方案,广泛用于数据保护和灾难恢复场景。它通过专用的备份设备提供高效的数据备份和恢复服务,常见于需要高可靠性和高性能备份解决方案的企业环境中。此次发现的漏洞允许攻击者在拥有低权限会话或劫持会话的情况下,绕过安全控制,创建具有最高权限的安全官员账户。
漏洞的根本原因在于ExaGrid的API在处理创建安全官员账户的请求时,未能进行充分的验证和授权检查。具体来说,攻击者需要提供一个有效的JSESSIONIDSSO cookie和site UUID,然后通过向/api/v1/sites/{uuid}/users端点发送特制的POST请求,即可绕过正常的安全检查,创建一个新的安全官员账户。这种设计缺陷使得攻击者能够提升权限,获得对备份操作的完全控制权。
此漏洞的影响极为严重,因为它不仅允许攻击者创建具有最高权限的账户,还可能导致备份数据的篡改、策略的破坏以及敏感数据的泄露。攻击者可以利用这些权限进行恶意操作,如删除或加密备份数据,从而对企业的数据安全构成严重威胁。此外,由于攻击需要一定的前提条件(如有效的会话cookie和site UUID),这意味着漏洞的利用需要一定的前期准备,但一旦这些条件满足,攻击可以自动化执行,增加了漏洞的实际危害性。
产品厂商: ExaGrid
产品名称: ExaGrid Backup Appliance
影响版本: Tested on current version at disclosure
来源: https://github.com/0xsu3ks/CVE-2025-29556
类型: CVE-2025:github search
仓库文件
- README.md
- cve-2025-29556.py
来源概述
CVE-2025-29556 – ExaGrid Security Officer Account Creation Bypass
📝 Overview
Vulnerability Title: Unauthorized Creation of Security Officer Account
Product: ExaGrid Backup Appliance
Version Affected: Tested on current version at disclosure
CVE ID: CVE-2025-29556
Severity: High
Attack Vector: Authenticated, Low-Privileged Access
Impact: Privilege Escalation to Security Officer Role
🧨 Description
This proof-of-concept (PoC) demonstrates a critical flaw in ExaGrid’s API that allows a low-privileged or hijacked session to create Security Officer accounts without proper validation or authorization. The attacker must possess a valid JSESSIONIDSSO cookie and the site UUID.
The vulnerability enables privilege escalation and full administrative control over backup operations, user creation, encryption settings, and more.
🚀 Usage
⚙️ Prerequisites
- Python 3.x
requestslibrary (pip install requests)- Valid:
JSESSIONIDSSOcookiesite UUID
📌 Command
1 | |
Add --debug to view the raw response:
1 | |
🧾 What It Does
- Sends a
POSTrequest to the/api/v1/sites/{uuid}/usersendpoint - Bypasses intended controls and creates a new user:
- Username:
Security_Officer_BYPASSED - Group:
exagrid-sec-offs - Password: base64-encoded (example:
XTNhXmJeKHo/P0hdTSY=)
- Username:
🔐 Impact
- Bypasses access controls around Security Officer account creation
- Grants highest-level access within the backup appliance
- Can result in backup manipulation, policy tampering, and sensitive data access
🛡️ Mitigation
- Patch when a fix becomes available from ExaGrid
- Monitor for unexpected users in the
exagrid-sec-offsgroup - Invalidate suspicious or stale sessions
- Limit access to internal management interfaces
👨💻 Author
Security Researcher – Kevin Suckiel – 0xsu3ks
PoC for CVE-2025-29556 disclosed through responsible channels.
⚠️ Legal Notice
This tool is intended for authorized testing and research purposes only. The author takes no responsibility for misuse or damage caused by this code.