CVE-2025-3026 MEDIUM

CVE-2025-3026: Improper Neutralization of Special Elements vulnerability in EJBCA

Vendor Primekey Solutions Ab
Product EJBCA
Weakness CWE-74
Published March 31, 2025
Last update March 31, 2025

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The vulnerability exists in the EJBCA service, version 8.0 Enterprise. Not tested in higher versions. By modifying the ‘Host’ header in an HTTP request, it is possible to manipulate the generated links and thus redirect the client to a different base URL. In this way, an attacker could insert his own server for the client to send HTTP requests, provided he succeeds in exploiting it.

Key dates

02Disclosure timeline

March 31, 2025 CVE published
March 31, 2025 Record updated