CVE-2025-1417 MEDIUM

CVE-2025-1417: Information disclosure in Proget MDM

Vendor Proget

Product Proget

Weakness CWE-863 · Incorrect authorization

Published May 21, 2025

Last update May 21, 2025

View on NVD All CVEs

CVSS base score

4.6/10

Attack vector Adjacent

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N

What the vulnerability does

01Description

In Proget MDM, a low-privileged user can access information about changes contained in backups of all devices managed by the MDM (Mobile Device Management). This information include user ids, email addresses, first names, last names and device UUIDs. The last one can be used for exploitation of CVE-2025-1416. Successful exploitation requires UUID of a targeted backup, which cannot be brute forced. This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite).

Key dates

02Disclosure timeline

May 21, 2025 CVE published

May 21, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-1417

Related vulnerabilities

CVE-2025-1417: Information disclosure in Proget MDM

01Description

02Disclosure timeline

03References

04Related CVE