Skip to main content

InfoScale Operations Manager CVE-2026-44925

| EUVDEUVD-2026-31130 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-20 mitre GHSA-mhc9-cfgv-gx98
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
May 20, 2026 - 20:22 vuln.today
CVSS changed
May 20, 2026 - 20:22 NVD
8.8 (None) 8.8 (HIGH)
CVE Published
May 20, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in InfoScale v.9.1.3 Operations Manager (VIOM) allows an attacker to force the user with an active session into clicking a malicious HTML link, which triggers unintended modifications on VIOM web application without the user's knowledge.

AnalysisAI

Cross-Site Request Forgery in InfoScale 9.1.3 Operations Manager (VIOM) web application allows remote attackers on the adjacent network to coerce an authenticated user with an active session into clicking a malicious link that triggers unintended state-changing actions in VIOM. No public exploit identified at time of analysis, but the CVSS 8.8 score reflects high impact on confidentiality, integrity, and availability if a privileged VIOM operator is targeted.

Technical ContextAI

VIOM (Veritas/Arctera InfoScale Operations Manager) is a centralized web-based management console for InfoScale storage and high-availability clusters, typically deployed on internal management networks. The root cause is CWE-352 (Cross-Site Request Forgery): the VIOM web application performs state-changing operations based on session cookies alone, without validating an anti-CSRF token, origin, or referer header tying the request to a legitimate VIOM-originated form submission. Because VIOM administrators routinely hold long-lived authenticated sessions to perform cluster management, any same-browser navigation to an attacker-controlled page can issue forged requests that the server accepts as authentic.

RemediationAI

Patch availability is unclear from the provided data: the references point to a vendor security bulletin covering CVE-2026-44923, CVE-2026-44924, and CVE-2026-44925 together, but no fixed version is enumerated in the input, so treat this as 'patch available per vendor advisory' and apply whatever build the InfoScale support bulletin at https://supportinfoscale.cloud.com/support-home/kbsearch/article?articleNumber=1000766080 specifies. Until that fixed build is deployed, restrict the VIOM management console to a dedicated administrative network segment or VPN reachable only from jump hosts (trade-off: blocks legitimate remote admin from general workstations), require VIOM administrators to use a separate hardened browser profile with no general web browsing (trade-off: workflow friction), shorten VIOM session timeouts and force re-authentication for sensitive operations (trade-off: more login prompts), and consider a reverse proxy that enforces SameSite=Strict cookies or strips cross-origin POST requests to the VIOM endpoint (trade-off: may break legitimate integrations).

Share

CVE-2026-44925 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy