Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in InfoScale v.9.1.3 Operations Manager (VIOM) allows an attacker to force the user with an active session into clicking a malicious HTML link, which triggers unintended modifications on VIOM web application without the user's knowledge.
AnalysisAI
Cross-Site Request Forgery in InfoScale 9.1.3 Operations Manager (VIOM) web application allows remote attackers on the adjacent network to coerce an authenticated user with an active session into clicking a malicious link that triggers unintended state-changing actions in VIOM. No public exploit identified at time of analysis, but the CVSS 8.8 score reflects high impact on confidentiality, integrity, and availability if a privileged VIOM operator is targeted.
Technical ContextAI
VIOM (Veritas/Arctera InfoScale Operations Manager) is a centralized web-based management console for InfoScale storage and high-availability clusters, typically deployed on internal management networks. The root cause is CWE-352 (Cross-Site Request Forgery): the VIOM web application performs state-changing operations based on session cookies alone, without validating an anti-CSRF token, origin, or referer header tying the request to a legitimate VIOM-originated form submission. Because VIOM administrators routinely hold long-lived authenticated sessions to perform cluster management, any same-browser navigation to an attacker-controlled page can issue forged requests that the server accepts as authentic.
RemediationAI
Patch availability is unclear from the provided data: the references point to a vendor security bulletin covering CVE-2026-44923, CVE-2026-44924, and CVE-2026-44925 together, but no fixed version is enumerated in the input, so treat this as 'patch available per vendor advisory' and apply whatever build the InfoScale support bulletin at https://supportinfoscale.cloud.com/support-home/kbsearch/article?articleNumber=1000766080 specifies. Until that fixed build is deployed, restrict the VIOM management console to a dedicated administrative network segment or VPN reachable only from jump hosts (trade-off: blocks legitimate remote admin from general workstations), require VIOM administrators to use a separate hardened browser profile with no general web browsing (trade-off: workflow friction), shorten VIOM session timeouts and force re-authentication for sensitive operations (trade-off: more login prompts), and consider a reverse proxy that enforces SameSite=Strict cookies or strips cross-origin POST requests to the VIOM endpoint (trade-off: may break legitimate integrations).
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31130
GHSA-mhc9-cfgv-gx98