Kron PAM CVE-2025-5254
MEDIUMSeverity by source
AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kron Technologies Kron PAM allows Stored XSS.
This issue affects Kron PAM: before 3.7.
AnalysisAI
Stored Cross-Site Scripting in Kron Technologies Kron PAM (versions before 3.7) allows a highly privileged authenticated attacker to inject persistent malicious scripts into the application that execute in the browsers of other users who view the affected content. Despite the high privilege required to plant the payload, the impact is rated High on both confidentiality and integrity - a realistic concern in Privileged Access Management platforms where session hijacking or credential harvesting against super-administrators carries severe downstream risk. No public exploit code or active exploitation has been identified at time of analysis; EPSS is low at 0.18% (40th percentile).
Technical ContextAI
Kron PAM is a Privileged Access Management platform by Kron Technologies, used to govern, audit, and broker access to privileged accounts and critical infrastructure. CWE-79 (Improper Neutralization of Input During Web Page Generation) covers stored XSS - a class of vulnerability where user-supplied input is persisted to a data store and later rendered in the browser without adequate encoding or sanitization. In the context of a PAM platform, stored XSS is particularly dangerous because the application handles sensitive privileged session data, credentials, and audit records; script execution in a victim's browser context can abuse the application's own privileged API endpoints on the victim's behalf. The CVSS vector (AV:N/AC:L/PR:H/UI:R/S:U) indicates the injection point is accessible over the network, requires no special conditions, but does require a high-privilege account to write the payload.
Affected ProductsAI
Kron PAM by Kron Technologies is affected in all versions prior to 3.7. The advisory published by the Turkish national cybersecurity authority USOM (TR-25-0178) at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0178 and https://www.usom.gov.tr/bildirim/tr-25-0178 identifies the version boundary. No CPE string was provided in the NVD entry; the exact affected component or module within the PAM platform is not specified in available data.
RemediationAI
Upgrade Kron PAM to version 3.7 or later, which resolves the stored XSS condition per the vendor-aligned USOM advisory TR-25-0178. The fix version 3.7 is inferred from the advisory boundary ('before 3.7'); it has not been independently verified against a separate Kron Technologies release note or changelog, so confirm the upgrade path directly with the vendor. Until patching is possible, restrict write access to PAM objects (sessions, notes, labels, or any field that renders in other users' views) to only the minimum necessary privileged accounts, reducing the population of users who could plant a payload. Audit and sanitize any existing stored content in user-editable fields as a precaution. Enable Content Security Policy headers at the web application firewall or load balancer layer if not already in place, noting this is a partial mitigant and does not substitute for the patch.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today