Kron PAM CVE-2025-5253
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Allocation of Resources Without Limits or Throttling vulnerability in Kron Technologies Kron PAM allows HTTP DoS.
This issue affects Kron PAM: before 3.7.
AnalysisAI
HTTP denial-of-service in Kron Technologies Kron PAM (all versions before 3.7) allows a low-privileged authenticated remote attacker to exhaust server resources through unthrottled HTTP request processing. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) confirms the attack is network-reachable at low complexity, requiring only a valid user account, with full availability impact and no scope change. No public exploit code exists and the vulnerability has not been added to the CISA KEV catalog; EPSS sits at 0.28% (52nd percentile), indicating low-to-moderate real-world exploitation probability at time of analysis.
Technical ContextAI
CWE-770 (Allocation of Resources Without Limits or Throttling) identifies a root cause where the HTTP-processing layer of Kron PAM imposes no effective ceiling on resource consumption per request or session. Kron PAM is a Privileged Access Management platform used to control, monitor, and audit privileged account sessions; its web-facing HTTP interface is the attack surface. Without rate limiting or resource quotas, an authenticated principal can issue a high volume of requests or requests designed to consume disproportionate CPU, memory, or connection-table entries, starving legitimate administrative sessions. No CPE string was provided in the source data, but the affected product is identified by the vendor as 'Kron PAM' versions prior to 3.7, as reported through Turkey's national USOM advisory TR-25-0178.
Affected ProductsAI
Kron Technologies Kron PAM, all releases before version 3.7, is confirmed affected per NVD and the Turkish USOM advisory TR-25-0178 (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0178 and https://www.usom.gov.tr/bildirim/tr-25-0178). No CPE string was supplied in the source data, so the exact CPE URI cannot be stated with certainty. The advisory does not enumerate sub-version ranges, implying the vulnerability exists across the entire pre-3.7 release line.
RemediationAI
Upgrade Kron PAM to version 3.7 or later; this is the vendor-confirmed patched release as referenced in USOM advisory TR-25-0178 (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0178). The exact patch version (3.7) is sourced from NVD/USOM and should be verified against Kron Technologies' official release notes before deployment. If immediate upgrade is not feasible, consider restricting access to the PAM web interface to trusted internal IP ranges or VPN endpoints only, reducing the pool of authenticated principals who can reach the HTTP layer; note this does not eliminate the vulnerability but raises the attacker's access bar. Additionally, placing an HTTP rate-limiting reverse proxy or WAF rule in front of the PAM web interface to cap per-session request rates can serve as a compensating control, with the trade-off that overly aggressive thresholds may affect legitimate PAM session throughput.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today