Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6DescriptionCVE.org
There is a memory management vulnerability in Absolute Secure Access server versions 9.0 to 13.54. Attackers with network access to the server can cause a Denial of Service by sending a specially crafted sequence of packets to the server. The attack complexity is low, there are no attack requirements, privileges, or user interaction required. Loss of availability is high; there is no impact on confidentiality or integrity.
AnalysisAI
Memory management vulnerability in Absolute Secure Access server versions 9.0 through 13.54 that allows unauthenticated, network-based attackers to trigger a Denial of Service condition by sending specially crafted packet sequences. The vulnerability requires no privileges or user interaction and has high availability impact (complete service disruption), though no data confidentiality or integrity risk. This is a critical operational risk for organizations dependent on Absolute Secure Access for remote connectivity.
Technical ContextAI
The vulnerability stems from CWE-762 (Mismatched Validation of Loop Condition), a memory management flaw in the Absolute Secure Access server's packet handling logic. The affected technology is Absolute Secure Access (CPE: cpe:2.3:a:absolute:secure_access:*:*:*:*:*:*:*:*), a remote connectivity and access control solution. The memory management defect exists in versions 9.0 through 13.54, suggesting the flaw was introduced or remained unpatched across multiple major release cycles. The root cause involves improper validation of loop conditions during packet processing, likely resulting in unbounded memory consumption, buffer exhaustion, or unsafe memory access that crashes the service. The network-accessible attack surface (AV:N) indicates the vulnerable code path is directly reachable from unauthenticated network connections, typical of server socket handlers or protocol parsers.
More in Secure Access
View allLocal privilege escalation in Absolute Secure Access for Windows (client and server) before version 14.55 allows a low-p
Secure Access Server versions before 14.20 are vulnerable to a network-based denial-of-service attack where unauthentica
Buffer overflow in Absolute Secure Access server (versions before 14.50) allows authenticated remote attackers with modi
Heap overflow in Absolute Security Secure Access client certificate parsing causes a local denial of service. Versions p
CVE-2025-54088 is an open-redirect vulnerability in Secure Access prior to version 14.10. Attackers with access to the c
There is a cross-site scripting vulnerability in the Secure Access administrative UI of Absolute Secure Access prior to
There is a cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prio
There is an insufficient input validation vulnerability in the warehouse component of Absolute Secure Access prior to se
There is an insufficient input validation vulnerability in the Warehouse component of Absolute Secure Access prior to 13
Secure Access versions before 14.20 contain a stored cross-site scripting vulnerability that allows administrators to in
There is a cross-site scripting vulnerability in the policy management UI of Absolute Secure Access prior to version 13.
Secure Access versions up to 14.20 is affected by insertion of sensitive information into log file (CVSS 3.4).
Same weakness CWE-762 – Mismatched Memory Management Routines
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18200