Skip to main content

Cato Networks CVE-2025-7012

| EUVDEUVD-2025-21253 HIGH
Improper Link Resolution Before File Access (CWE-59)
2025-07-13 2505284f-8ffb-486c-bf60-e19c1097a90b
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:U/RE:M/U:Green

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:U/RE:M/U:Green
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
P

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:26 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
5.5
EUVD ID Assigned
Mar 16, 2026 - 09:18 euvd
EUVD-2025-21253
Analysis Generated
Mar 16, 2026 - 09:18 vuln.today
CVE Published
Jul 13, 2025 - 08:15 nvd
HIGH 8.6

DescriptionCVE.org

An issue in Cato Networks' CatoClient for Linux, before version 5.5, allows a local attacker to escalate privileges to root by exploiting improper symbolic link handling.

AnalysisAI

CVE-2025-7012 is a local privilege escalation vulnerability in Cato Networks CatoClient for Linux versions prior to 5.5, stemming from improper symbolic link handling that allows an authenticated local attacker to escalate privileges to root. With a CVSS score of 8.6 and CWE-59 classification, this vulnerability presents a high-severity risk to Linux deployments; the attack requires local access and user interaction but delivers complete system compromise. Active exploitation status and proof-of-concept availability should be verified through CISA KEV database and exploit repositories.

Technical ContextAI

The vulnerability exploits improper symbolic link (symlink) handling in CatoClient for Linux—a VPN/network security client deployed on endpoint systems. CWE-59 (Improper Link Resolution Before File Access) occurs when applications fail to validate symbolic links before performing file operations, allowing attackers to redirect file write/read operations to sensitive system locations. In CatoClient's case, the vulnerability likely exists in privilege escalation code paths where the application performs operations in directories world-writable or controlled by lower-privileged users without validating link targets. The affected CPE would be: cpe:2.3:a:cato_networks:catoclient:*:*:*:*:*:linux:*. Versions before 5.5 contain this flaw; the client typically runs with elevated privileges or interacts with privileged processes, creating the attack surface.

RemediationAI

{'type': 'Patch', 'action': 'Upgrade CatoClient for Linux to version 5.5 or later', 'priority': 'Critical', 'source': 'Cato Networks official release'} {'type': 'Interim Mitigation', 'action': 'Restrict login access to Linux systems running CatoClient to trusted users only; disable local shell access where possible for non-administrative accounts', 'priority': 'High'} {'type': 'Detection', 'action': "Monitor system logs for failed privilege escalation attempts and symbolic link creation in CatoClient's working directories (typically /tmp, /var/run, or application-specific paths); implement file integrity monitoring on privileged CatoClient binaries and configuration files", 'priority': 'Medium'} {'type': 'Verification', 'action': 'Verify patched version via: catoclient --version or check /opt/cato/catoclient/VERSION file; ensure no rollback to earlier versions in configuration management systems', 'priority': 'High'}

Share

CVE-2025-7012 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy