{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-1416", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2025-02-18T13:43:45.787Z", "datePublished": "2025-05-21T13:03:07.286Z", "dateUpdated": "2025-05-21T13:31:23.727Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Proget", "vendor": "Proget", "versions": [{"lessThan": "2.17.5", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Marcin W\u0119g\u0142owski (AFINE)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In Proget MDM, a low-privileged user can retrieve passwords for managed devices and subsequently&nbsp;use functionalities restricted by the MDM (Mobile Device Management). For it to happen, they must know the UUIDs of targetted devices, which might be obtained by exploiting&nbsp;CVE-2025-1415 or&nbsp;CVE-2025-1417.</p><p>This issue has been fixed in&nbsp;2.17.5 version of&nbsp;Konsola Proget (server part of the MDM suite).<br></p>"}], "value": "In Proget MDM, a low-privileged user can retrieve passwords for managed devices and subsequently\u00a0use functionalities restricted by the MDM (Mobile Device Management). For it to happen, they must know the UUIDs of targetted devices, which might be obtained by exploiting\u00a0CVE-2025-1415 or\u00a0CVE-2025-1417.\n\nThis issue has been fixed in\u00a02.17.5 version of\u00a0Konsola Proget (server part of the MDM suite)."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "baseScore": 7, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2025-05-21T13:22:59.694Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://cert.pl/en/posts/2025/05/CVE-2025-1415"}, {"tags": ["product"], "url": "https://proget.pl/en/mobile-device-management/"}], "source": {"discovery": "UNKNOWN"}, "title": "Password disclosure in Proget MDM", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-21T13:31:18.566757Z", "id": "CVE-2025-1416", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-21T13:31:23.727Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1416", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-21T13:31:18.566757Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-21T13:31:20.877Z"}}], "cna": {"title": "Password disclosure in Proget MDM", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Marcin W\u0119g\u0142owski (AFINE)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Proget", "product": "Proget", "versions": [{"status": "affected", "version": "0", "lessThan": "2.17.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://cert.pl/en/posts/2025/05/CVE-2025-1415", "tags": ["third-party-advisory"]}, {"url": "https://proget.pl/en/mobile-device-management/", "tags": ["product"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "In Proget MDM, a low-privileged user can retrieve passwords for managed devices and subsequently\u00a0use functionalities restricted by the MDM (Mobile Device Management). For it to happen, they must know the UUIDs of targetted devices, which might be obtained by exploiting\u00a0CVE-2025-1415 or\u00a0CVE-2025-1417.\n\nThis issue has been fixed in\u00a02.17.5 version of\u00a0Konsola Proget (server part of the MDM suite).", "supportingMedia": [{"type": "text/html", "value": "<p>In Proget MDM, a low-privileged user can retrieve passwords for managed devices and subsequently&nbsp;use functionalities restricted by the MDM (Mobile Device Management). For it to happen, they must know the UUIDs of targetted devices, which might be obtained by exploiting&nbsp;CVE-2025-1415 or&nbsp;CVE-2025-1417.</p><p>This issue has been fixed in&nbsp;2.17.5 version of&nbsp;Konsola Proget (server part of the MDM suite).<br></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2025-05-21T13:22:59.694Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1416", "state": "PUBLISHED", "dateUpdated": "2025-05-21T13:31:23.727Z", "dateReserved": "2025-02-18T13:43:45.787Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2025-05-21T13:03:07.286Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In Proget MDM, a low-privileged user can retrieve passwords for managed devices and subsequently\u00a0use functionalities restricted by the MDM (Mobile Device Management). For it to happen, they must know the UUIDs of targetted devices, which might be obtained by exploiting\u00a0CVE-2025-1415 or\u00a0CVE-2025-1417.\n\nThis issue has been fixed in\u00a02.17.5 version of\u00a0Konsola Proget (server part of the MDM suite)."}, {"lang": "es", "value": "En Proget MDM, un usuario con pocos privilegios puede recuperar contrase\u00f1as de dispositivos administrados y, posteriormente, usar funcionalidades restringidas por la MDM (Administraci\u00f3n de Dispositivos M\u00f3viles). Para ello, debe conocer los UUID de los dispositivos objetivo, que podr\u00edan obtenerse mediante la explotaci\u00f3n de CVE-2025-1415 o CVE-2025-1417. Este problema se ha corregido en la versi\u00f3n 2.17.5 de Konsola Proget (componente servidor de la suite MDM)."}], "id": "CVE-2025-1416", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cvd@cert.pl", "type": "Secondary"}]}, "published": "2025-05-21T13:16:00.700", "references": [{"source": "cvd@cert.pl", "url": "https://cert.pl/en/posts/2025/05/CVE-2025-1415"}, {"source": "cvd@cert.pl", "url": "https://proget.pl/en/mobile-device-management/"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "cvd@cert.pl", "type": "Secondary"}]}

{}

{}