| CVE ID | CVE-2025-22270 |
| Publication date | 28 February 2025 |
| Vendor | CyberArk |
| Product | Endpoint Privilege Manager |
| Vulnerable versions | 24.7.1 |
| Vulnerability type (CWE) | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-22271 |
| Publication date | 28 February 2025 |
| Vendor | CyberArk |
| Product | Endpoint Privilege Manager |
| Vulnerable versions | 24.7.1 |
| Vulnerability type (CWE) | Authentication Bypass by Spoofing (CWE-290) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-22272 |
| Publication date | 28 February 2025 |
| Vendor | CyberArk |
| Product | Endpoint Privilege Manager |
| Vulnerable versions | 24.7.1 |
| Vulnerability type (CWE) | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-22273 |
| Publication date | 28 February 2025 |
| Vendor | CyberArk |
| Product | Endpoint Privilege Manager |
| Vulnerable versions | 24.7.1 |
| Vulnerability type (CWE) | Allocation of Resources Without Limits or Throttling (CWE-770) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-22274 |
| Publication date | 28 February 2025 |
| Vendor | CyberArk |
| Product | Endpoint Privilege Manager |
| Vulnerable versions | 24.7.1 |
| Vulnerability type (CWE) | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE-80) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerabilities in CyberArk Endpoint Privilege Manager software and participated in coordination of their disclosure.
The vulnerability CVE-2025-22270: An attacker with access to the Administration panel, specifically the Role Management tab, can inject code by adding a new role in the name field. It should be noted, however, that the risk of exploiting vulnerability is reduced due to the required additional error that allows bypassing the Content-Security-Policy policy, which
mitigates JS code execution while still allowing HTML injection.
The vulnerability CVE-2025-22271: The application or its infrastructure allows for IP address spoofing by providing its own value in the X-Forwarded-For header. Thus, the action logging mechanism in the application loses accountability
The vulnerability CVE-2025-22272: In the /EPMUI/ModalDlgHandler.ashx?value=showReadonlyDlg endpoint, it is possible to inject code in the modalDlgMsgInternal parameter via POST, which is then executed in the browser. The risk of exploiting vulnerability is reduced due to the required additional bypassing the Content-Security-Policy policy
The vulnerability CVE-2025-22273: Application does not limit the number or frequency of user interactions, such as the number of incoming requests. At the /EPMUI/VfManager.asmx/ChangePassword endpoint it is possible to perform a brute force attack on the current password in use.
The vulnerability CVE-2025-22274: It is possible to inject HTML code into the page content using the content field in the Application definition page.
These issues affect CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer.
Credits
We thank Karol Mazurek and Maksymilian Kubiak from Afine Team for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.