CVE-2025-54765

CVE-2025-54765: KL-001-2025-013: Xorux XorMon-NG Web Application Privilege Escalation to Administrator

Vendor Xorux
Product XorMon-NG
Weakness CWE-648
Published July 28, 2025
Last update November 3, 2025

CVSS base score

What the vulnerability does

01Description

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to import the appliance configuration, allowing an attacker to control the configuration of the appliance, to include granting themselves administrative level permissions.

Key dates

02Disclosure timeline

July 28, 2025 CVE published
November 3, 2025 Record updated