Vulnerability Details Affected Vendor: Xorux Affected Product: XorMon-NG Affected Version: 1.8 and prior Platform: Debian CWE Classification: CWE-648: Incorrect Use of Privileged APIs CVE ID: CVE-2025-54765 Vulnerability Description An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to import the appliance configuration, allowing an attacker to control the configuration of the appliance, to include granting themselves administrative level permissions. Technical Description A read-only user can access a web application endpoint by which device imports can be uploaded. The device exports are in tar.gz.gpg format, and can be constructed to include arbitrary device configuration information of an attacker's choosing. In the case of privilege escalation, an attacker can export the device configuration, modify the readonly account to have administrative privileges, and then re-import the configuration into the appliance. The GPG encryption uses a default of "undefined" for symmetric encryption and decryption. An authenticated, read-only attacker could leverage this vulnerability to obtain administrative level permissions within the web application. Mitigation and Remediation Recommendation Xorux released version 1.9.38, which includes a remediation for this vulnerability. See https://xormon.com/note190.php. Credit This…Read More