{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-66573", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2025-12-04T16:22:24.337Z", "datePublished": "2025-12-04T20:45:13.939Z", "dateUpdated": "2026-04-07T14:09:51.175Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Solstice Pod API Session Key Extraction via API Endpoint", "vendor": "mersive", "versions": [{"status": "affected", "version": "5.5"}, {"status": "affected", "version": "6.2"}]}], "credits": [{"lang": "en", "type": "finder", "value": "The Baldwin School Ethical Hackers, The Baldwin School"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Solstice Pod API (version 5.5, 6.2) contains an unauthenticated API endpoint (`/api/config`) that exposes sensitive information such as the session key, server version, product details, and display name. Unauthorized users can extract live session information by accessing this endpoint without authentication.</p>"}], "value": "Solstice Pod API (version 5.5, 6.2) contains an unauthenticated API endpoint (`/api/config`) that exposes sensitive information such as the session key, server version, product details, and display name. Unauthorized users can extract live session information by accessing this endpoint without authentication."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.9, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "CWE-319 Cleartext Transmission of Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-07T14:09:51.175Z"}, "references": [{"name": "ExploitDB-52104", "tags": ["exploit"], "url": "https://www.exploit-db.com/exploits/52104"}, {"name": "Mersive Homepage", "tags": ["product"], "url": "https://www.mersive.com/"}, {"name": "Solstice Documentation", "tags": ["product"], "url": "https://documentation.mersive.com/en/solstice/about-solstice.html"}, {"tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/solstice-pod-api-session-key-extraction-via-api-endpoint"}], "source": {"discovery": "UNKNOWN"}, "title": "Solstice Pod API Session Key Extraction via API Endpoint", "x_generator": {"engine": "vulncheck"}, "datePublic": "2025-03-29T00:00:00.000Z"}, "adp": [{"references": [{"url": "https://www.exploit-db.com/exploits/52104", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-05T17:52:11.355912Z", "id": "CVE-2025-66573", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T17:52:32.132Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-66573", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-05T17:52:11.355912Z"}}}], "references": [{"url": "https://www.exploit-db.com/exploits/52104", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T17:52:03.261Z"}}], "cna": {"title": "Solstice Pod API Session Key Extraction via API Endpoint", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "The Baldwin School Ethical Hackers, The Baldwin School"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "mersive", "product": "Solstice Pod API Session Key Extraction via API Endpoint", "versions": [{"status": "affected", "version": "5.5"}, {"status": "affected", "version": "6.2"}], "defaultStatus": "unaffected"}], "datePublic": "2025-03-29T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/52104", "name": "ExploitDB-52104", "tags": ["exploit"]}, {"url": "https://www.mersive.com/", "name": "Mersive Homepage", "tags": ["product"]}, {"url": "https://documentation.mersive.com/en/solstice/about-solstice.html", "name": "Solstice Documentation", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/solstice-pod-api-session-key-extraction-via-api-endpoint", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "Solstice Pod API (version 5.5, 6.2) contains an unauthenticated API endpoint (`/api/config`) that exposes sensitive information such as the session key, server version, product details, and display name. Unauthorized users can extract live session information by accessing this endpoint without authentication.", "supportingMedia": [{"type": "text/html", "value": "<p>Solstice Pod API (version 5.5, 6.2) contains an unauthenticated API endpoint (`/api/config`) that exposes sensitive information such as the session key, server version, product details, and display name. Unauthorized users can extract live session information by accessing this endpoint without authentication.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-319", "description": "CWE-319 Cleartext Transmission of Sensitive Information"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-07T14:09:51.175Z"}}}, "cveMetadata": {"cveId": "CVE-2025-66573", "state": "PUBLISHED", "dateUpdated": "2026-04-07T14:09:51.175Z", "dateReserved": "2025-12-04T16:22:24.337Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2025-12-04T20:45:13.939Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:mersive:solstice_pod_firmware:5.6:*:*:*:*:*:*:*", "matchCriteriaId": "F813116A-47F5-47EC-9206-F51C4C73C60C", "vulnerable": true}, {"criteria": "cpe:2.3:o:mersive:solstice_pod_firmware:6.2:*:*:*:*:*:*:*", "matchCriteriaId": "8634D879-8398-468E-BBD4-9154686700ED", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:mersive:solstice_pod:-:*:*:*:*:*:*:*", "matchCriteriaId": "2208F1E1-4F8B-416E-B46C-40A8E862B55B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Solstice Pod API (version 5.5, 6.2) contains an unauthenticated API endpoint (`/api/config`) that exposes sensitive information such as the session key, server version, product details, and display name. Unauthorized users can extract live session information by accessing this endpoint without authentication."}], "id": "CVE-2025-66573", "lastModified": "2025-12-23T00:09:25.047", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2025-12-04T21:16:10.083", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://documentation.mersive.com/en/solstice/about-solstice.html"}, {"source": "disclosure@vulncheck.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.exploit-db.com/exploits/52104"}, {"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://www.mersive.com/"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/solstice-pod-api-session-key-extraction-via-api-endpoint"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.exploit-db.com/exploits/52104"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T20:57:48.023577+00:00", "value": {"mitigation_remediation": ["Apply the latest firmware update from Mersive to eliminate the exposure of the /api/config endpoint", "If an update is not yet available, restrict network access to the Solstice Pod so that only trusted management addresses can reach the /api/config endpoint, or block the endpoint using a firewall or network ACL", "Configure the device to require authentication for API calls or disable the unauthenticated API feature altogether"], "summary": {"action": "Apply Patch", "impact": "Information Disclosure through unauthenticated API endpoint"}, "threat_synthesis": {"affected_systems": "The affected product is Mersive Solstice Pod. Vulnerable firmware versions include 5.5 and 6.2; the description also mentions firmware 5.6, implying that earlier releases are at risk. All devices running these firmware versions are exposed.", "description_and_impact": "The vulnerability involves an unauthenticated API endpoint (/api/config) that returns sensitive data such as a session key, server version, product details, and display name. Exposing the session key can allow an attacker to hijack active sessions or forge authenticated requests, effectively compromising confidentiality and potentially enabling further malicious actions.", "risk_and_exploitability": "The CVSS score of 6.9 indicates a moderate severity. The EPSS score of less than 1% suggests a low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Attackers can reach the endpoint over the network, potentially without any preliminary authentication, making exploitation straightforward for anyone with network visibility to the device."}}}}, "created": "2025-12-05T10:52:14.199952+00:00", "updated": "2026-04-22T21:00:06.371968+00:00", "vendors": ["mersive", "mersive$PRODUCT$solstice_pod"]}