Skip to main content

Kron PAM CVE-2025-5253

MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2025-07-25 iletisim@usom.gov.tr
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 15:38 vuln.today

DescriptionCVE.org

Allocation of Resources Without Limits or Throttling vulnerability in Kron Technologies Kron PAM allows HTTP DoS.

This issue affects Kron PAM: before 3.7.

AnalysisAI

HTTP denial-of-service in Kron Technologies Kron PAM (all versions before 3.7) allows a low-privileged authenticated remote attacker to exhaust server resources through unthrottled HTTP request processing. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) confirms the attack is network-reachable at low complexity, requiring only a valid user account, with full availability impact and no scope change. No public exploit code exists and the vulnerability has not been added to the CISA KEV catalog; EPSS sits at 0.28% (52nd percentile), indicating low-to-moderate real-world exploitation probability at time of analysis.

Technical ContextAI

CWE-770 (Allocation of Resources Without Limits or Throttling) identifies a root cause where the HTTP-processing layer of Kron PAM imposes no effective ceiling on resource consumption per request or session. Kron PAM is a Privileged Access Management platform used to control, monitor, and audit privileged account sessions; its web-facing HTTP interface is the attack surface. Without rate limiting or resource quotas, an authenticated principal can issue a high volume of requests or requests designed to consume disproportionate CPU, memory, or connection-table entries, starving legitimate administrative sessions. No CPE string was provided in the source data, but the affected product is identified by the vendor as 'Kron PAM' versions prior to 3.7, as reported through Turkey's national USOM advisory TR-25-0178.

Affected ProductsAI

Kron Technologies Kron PAM, all releases before version 3.7, is confirmed affected per NVD and the Turkish USOM advisory TR-25-0178 (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0178 and https://www.usom.gov.tr/bildirim/tr-25-0178). No CPE string was supplied in the source data, so the exact CPE URI cannot be stated with certainty. The advisory does not enumerate sub-version ranges, implying the vulnerability exists across the entire pre-3.7 release line.

RemediationAI

Upgrade Kron PAM to version 3.7 or later; this is the vendor-confirmed patched release as referenced in USOM advisory TR-25-0178 (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0178). The exact patch version (3.7) is sourced from NVD/USOM and should be verified against Kron Technologies' official release notes before deployment. If immediate upgrade is not feasible, consider restricting access to the PAM web interface to trusted internal IP ranges or VPN endpoints only, reducing the pool of authenticated principals who can reach the HTTP layer; note this does not eliminate the vulnerability but raises the attacker's access bar. Additionally, placing an HTTP rate-limiting reverse proxy or WAF rule in front of the PAM web interface to cap per-session request rates can serve as a compensating control, with the trade-off that overly aggressive thresholds may affect legitimate PAM session throughput.

Share

CVE-2025-5253 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy