Cybersecurity researchers have identified a series of critical vulnerabilities in Securden Unified Privileged Access Management (PAM) software, notably an authentication bypass flaw designated as CVE-2025-53118 with a CVSS score of 9.4. This vulnerability enables attackers to circumvent authentication mechanisms, granting unauthorized access to sensitive credentials and system functionalities.
Authentication Bypass Vulnerability (CVE-2025-53118):
The primary issue lies in the session management of Securden Unified PAM. Attackers can exploit the `/thirdparty-access` endpoint to obtain a `securdensession` cookie. This cookie can then be used to acquire Cross-Site Request Forgery (CSRF) tokens and `securdenpost` cookies via the `/get_csrf_token` URL. The system’s reliance on these session tokens, without proper validation of user authorization, allows unauthorized access.
Additional Vulnerabilities:
Beyond the authentication bypass, researchers uncovered three more vulnerabilities:
1. Unauthenticated Unrestricted File Upload (CVE-2025-53119): This flaw permits attackers to upload malicious binaries and scripts without authentication, potentially leading to remote code execution.
2. Path Traversal in File Upload (CVE-2025-53120): By exploiting this vulnerability, attackers can perform path traversal during file uploads, enabling them to execute arbitrary code on the system.
3. Shared SSH Key Infrastructure Issue (CVE-2025-6737): This issue affects Securden’s cloud gateway services, allowing attackers to access the gateway server with low privileges using shared credentials.
Exploitation Mechanism and Technical Analysis:
The authentication bypass vulnerability is particularly concerning due to its exploitation of the backup functionality. Attackers can use the obtained session tokens to access the `/configure_schedule` endpoint, triggering encrypted password backups with administrative privileges. By specifying custom backup locations, such as external SMB shares or the application’s static webroot folder, attackers can directly download encrypted credential files. The predictable nature of backup filenames makes them susceptible to brute-force discovery attacks.
Furthermore, when combined with the file upload vulnerabilities, attackers can achieve complete remote code execution by overwriting system files like `postgresBackup.bat` with malicious PowerShell commands. This multi-stage attack chain transforms an initial authentication issue into a full system compromise.
Affected Versions and Mitigation:
The vulnerabilities affect Securden Unified PAM versions 9.0.x through 11.3.1. Securden has addressed these issues in version 11.4.4. Organizations using affected versions are strongly advised to update to the latest version immediately to prevent potential exploitation.
