CVE-2025-10650 LOW

CVE-2025-10650: Improper SSH Key Handling in Internal Debug Builds May Grant Cluster-Level Access to Non-Administrative Users

Vendor Softiron
Product HyperCloud
Weakness CWE-269
Published September 18, 2025
Last update February 20, 2026

CVSS base score

1.8/10
Attack vector Local
Attack complexity High
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

SoftIron HyperCloud 2.5.0 through 2.6.3 may incorrectly add user SSH keys to the administrator-level authorized keys under certain conditions, allowing unauthorized privilege escalation to admin via SSH. Affects non-production debug and internal development builds created between versions 2.5.0 and 2.6.3.  No generally available (GA) or customer-released production builds were affected.  There is no evidence that this issue was exposed in customer environments or production deployments.

Key dates

02Disclosure timeline

September 18, 2025 CVE published
February 20, 2026 Record updated