Skip to main content

ELOG CVE-2025-64348

HIGH
Missing Authorization (CWE-862)
2025-10-31 9119a7d8-5eab-497f-8521-727c672e3725
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 26, 2026 - 20:00 vuln.today

DescriptionCVE.org

ELOG allows an authenticated user to modify or overwrite the configuration file, resulting in denial of service. If the execute facility is specifically enabled with the "-x" command line flag, attackers could execute OS commands on the host machine. By default, ELOG is not configured to allow shell commands or self-registration.

AnalysisAI

Configuration file manipulation in ELOG electronic logbook system allows authenticated attackers to trigger denial of service by modifying or overwriting the configuration file. If the rarely-used execute facility is enabled via '-x' command line flag, the vulnerability escalates to remote code execution on the underlying host. Vendor patches are available via Bitbucket commits 7092ff6 and f81e569. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation. The 7.1 CVSS 4.0 score reflects high availability impact and low integrity impact under default configurations, with significantly higher risk in non-default deployments using the execute facility.

Technical ContextAI

ELOG is an electronic logbook system typically used in scientific and technical environments for collaborative documentation. The vulnerability stems from CWE-862 (Missing Authorization), where insufficient authorization checks allow authenticated users to manipulate the configuration file beyond their intended privilege level. The affected product (cpe:2.3:a:elog_project:elog) uses a configuration file that controls system behavior, including the optional execute facility. When the '-x' command line flag enables shell command execution-a non-default feature-attackers can inject malicious commands through the compromised configuration, converting an availability issue into a code execution vector. The CVSS 4.0 vector (AV:N/AC:L/PR:L) indicates network-accessible exploitation with low complexity once authentication is obtained, with primary impact to availability (VA:H) and limited integrity impact (VI:L) in default configurations.

RemediationAI

Apply vendor-released patches immediately by updating to ELOG versions incorporating Bitbucket commits 7092ff64f6eb9521f8cc8c52272a020bf3730946 and f81e5695c40997322fe2713bfdeba459d9de09dc, available at https://bitbucket.org/ritt/elog/commits/. If immediate patching is not feasible, disable the execute facility by removing the '-x' command line flag from ELOG startup configuration to eliminate code execution risk, though this does not address the denial of service vector. Implement strict file system permissions on the ELOG configuration file to prevent modification by non-administrative users, though this compensating control may conflict with legitimate application functionality and should be tested thoroughly. Disable self-registration functionality if enabled to limit attacker access to valid credentials. Review authentication mechanisms and implement additional access controls to minimize the number of users with configuration modification privileges. Monitor configuration file integrity using file integrity monitoring (FIM) tools to detect unauthorized changes. For high-security environments using the execute facility, consider network segmentation to isolate ELOG systems from sensitive resources until patching is complete. Consult CISA CSAF advisory VA-25-304-01 (https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-304-01.json) for additional government guidance.

Share

CVE-2025-64348 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy