CVE-2025-13480

| EUVD-2025-209530 MEDIUM
Incorrect Authorization (CWE-863)
2026-04-20 CERT-PL GHSA-x858-8gr5-586m
Authentication Bypass
5.1
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 20, 2026 - 11:58 vuln.today

DescriptionNVD

Fudo Enterprise in versions from 5.5.0 through 5.6.2 allows low privileged users to access certain administrator-only resources via improperly protected API endpoints. This includes sensitive information such as system logs and parts of system configuration settings. This vulnerability has been fixed in version 5.6.3

AnalysisAI

Fudo Enterprise versions 5.5.0 through 5.6.2 permit low-privileged users to access administrator-only API endpoints, exposing sensitive system logs and configuration data due to improper authorization controls. Authenticated attackers with minimal privileges can escalate access to protected resources without additional user interaction. The vulnerability has been patched in version 5.6.3.

Technical ContextAI

This vulnerability stems from broken access control (CWE-863: Incorrect Authorization) in Fudo Enterprise's API layer. The application fails to properly enforce role-based access control (RBAC) on sensitive administrative endpoints, allowing authenticated users with low privilege levels to bypass authorization checks. The affected endpoints expose system logs and partial system configuration-typically restricted to administrators-through inadequately protected API resources. The vulnerability affects the Fudo Enterprise product (cpe:2.3:a:fudo_security:fudo_enterprise) across versions 5.5.0 to 5.6.2, suggesting the flaw was introduced or persisted across multiple releases before remediation.

RemediationAI

Upgrade Fudo Enterprise to version 5.6.3 or later, which includes fixes for the improper API authorization controls. This patch is the primary remediation and should be deployed immediately to all affected instances. The vendor release notes are available at https://download.fudosecurity.com/documentation/fudo/5_6/rn/RN_5.6.3.pdf. If immediate patching is not feasible, implement network-level mitigations: restrict network access to Fudo Enterprise to trusted administrative networks only (leveraging the AV:A-adjacent network-requirement), enforce firewall rules to block unauthorized access to the application, and audit user access logs to identify suspicious API calls to administrator endpoints. Additionally, review user privilege assignments and remove excessive low-privilege account access if not operationally necessary. These compensating controls reduce exposure but do not eliminate the vulnerability-patching remains the definitive fix.

Share

CVE-2025-13480 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy