CVE-2025-13428 HIGH

CVE-2025-13428: RCE in SecOps SOAR server via user-provided Python packages

Vendor Google Cloud

Product Google Cloud SecOps SOAR

Weakness CWE-20 · Input validation

Published December 9, 2025

Last update December 9, 2025

View on NVD All CVEs

CVSS base score

8.6/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear

What the vulnerability does

Description

A vulnerability exists in the SecOps SOAR server. The custom integrations feature allowed an authenticated user with an "IDE role" to achieve Remote Code Execution (RCE) in the server. The flaw stemmed from weak validation of uploaded Python package code. An attacker could upload a package containing a malicious setup.py file, which would execute on the server during the installation process, leading to potential server compromise. No customer action is required. All customers have been automatically upgraded to the fixed version: 6.3.64 or higher.

Key dates

Disclosure timeline

December 9, 2025 CVE published

December 9, 2025 Record updated