Skip to main content

Secure Access

38 CVEs product

Monthly

CVE-2026-55399 MEDIUM PATCH This Month

Resource exhaustion in Absolute Security Secure Access publisher (versions prior to 14.55) enables authenticated remote attackers holding valid tunnel credentials to trigger a non-persistent denial of service against the publisher component. The CVSS 4.0 score of 5.1 (Medium) reflects the constrained impact: availability loss is limited and self-recovering, with no confidentiality or integrity exposure. No public exploit code and no CISA KEV listing identified at time of analysis.

Denial Of Service Secure Access
NVD
CVSS 4.0
5.1
CVE-2026-55398 MEDIUM PATCH This Month

Memory management flaw in Absolute Secure Access prior to version 14.55 allows a remote attacker with deep protocol knowledge and tunnel control to trigger a non-persistent denial-of-service against the server component. Both client and server software are identified as affected per the vendor's own disclosure. No public exploit code and no CISA KEV listing are confirmed at time of analysis, and the non-persistent DoS nature implies the server likely auto-recovers, constraining operational impact.

Information Disclosure Secure Access
NVD
CVSS 4.0
6.9
CVE-2026-33445 HIGH PATCH This Week

Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows a remote attacker with deep, low-level command of the tunnel protocol to corrupt server-side memory management and keep the server down. The flaw carries a CVSS 4.0 base score of 8.7 driven entirely by an availability (VA:H) impact, with no confidentiality or integrity consequence. No public exploit identified at time of analysis and it is not listed in CISA KEV, so real-world exploitation appears unproven.

Information Disclosure Secure Access
NVD
CVSS 4.0
8.7
CVE-2026-33444 MEDIUM PATCH This Month

Non-persistent denial-of-service against Absolute Secure Access servers prior to version 14.55 is achievable by an attacker who has intimate knowledge of and total control over the tunnel protocol. The attack exploits a memory management flaw in the server component, causing service disruption that does not persist after the attack ends, meaning the server recovers without administrator intervention. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the network-accessible attack surface warrants patching given Absolute Secure Access is a perimeter access product. Notably, the vendor-supplied tag includes 'Information Disclosure,' which conflicts with the DoS-only description and may indicate additional undisclosed impact.

Information Disclosure Secure Access
NVD
CVSS 4.0
6.9
CVE-2026-33443 HIGH PATCH This Week

Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows an authenticated tunnel participant to permanently crash or wedge the server by abusing the tunnel protocol. The CVSS 4.0 vector (7.1, PR:L, VA:H) confirms an availability-only impact requiring some level of tunnel authentication, with no confidentiality or integrity effect despite a mislabeled 'Information Disclosure' tag. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

Information Disclosure Secure Access
NVD
CVSS 4.0
7.1
CVE-2026-40958 LOW PATCH Monitor

Non-persistent denial-of-service affecting Absolute Secure Access clients prior to version 14.55 can be triggered by an attacker who possesses intimate knowledge of and total control over the underlying tunnel protocol, yielding low availability impact limited to the client process. The CVSS 4.0 score of 2.3 reflects the highly constrained exploitation requirements captured by AT:P and UI:P - this is not opportunistic exploitation but a targeted, condition-heavy attack against a specific client. No active exploitation has been identified, no public exploit code exists, and the DoS is explicitly described as non-persistent, meaning the client recovers without lasting damage.

Information Disclosure Secure Access
NVD
CVSS 4.0
2.3
CVE-2026-40957 MEDIUM PATCH This Month

Frameable content on the Absolute Secure Access server login page (versions prior to 14.55) enables clickjacking attacks that can result in administrator credential theft. An attacker who controls a malicious website can embed the login page in a hidden iframe, luring an unwitting administrator to unknowingly submit their credentials into the framed interface. No public exploit has been identified at time of analysis, and the CVSS 4.0 vector indicates active user interaction is required, limiting opportunistic exploitation.

Secure Access XSS
NVD
CVSS 4.0
6.1
CVE-2026-40956 LOW PATCH Monitor

Memory disclosure in Absolute Security Secure Access client (versions prior to 14.55) permits a small, indeterminate amount of process memory to leak to an adversary who has already achieved full control over the tunnel protocol. The CVSS 4.0 score of 2.1 accurately reflects the narrow real-world impact: an attacker must simultaneously possess intimate protocol knowledge and the ability to manipulate tunnel communications end-to-end, a prerequisite that dramatically limits the exploitable population. No public exploit code exists and the vulnerability does not appear in the CISA KEV catalog, reinforcing its low operational priority for most enterprises.

Information Disclosure Secure Access
NVD
CVSS 4.0
2.1
CVE-2026-40955 LOW PATCH Monitor

Integer underflow in the traffic parsing function of Absolute Security Secure Access clients prior to version 14.55 enables a non-persistent denial-of-service condition against the client application. Exploitation demands the attacker possess intimate knowledge of the proprietary tunnel protocol AND maintain total control over that tunnel - an exceptionally high bar that drastically limits realistic attacker population. The impact is restricted to temporarily disrupting the Secure Access client on the victim endpoint; the service recovers without persistent damage. No public exploit code exists and this vulnerability is not listed in CISA KEV.

Information Disclosure Secure Access Integer Overflow
NVD
CVSS 4.0
2.1
CVE-2026-40954 LOW PATCH Monitor

Integer underflow in Absolute Security's Secure Access client prior to version 14.55 allows an attacker with full control over the tunnel protocol to cause a non-persistent denial of service against the client. The exploitation bar is extremely high - the attacker must possess both intimate knowledge of the proprietary tunnel protocol and total control over the communication channel. No public exploit code exists and this vulnerability is not listed in CISA KEV; the vendor-reported CVSS 4.0 score of 2.1 reflects the negligible real-world risk.

Information Disclosure Secure Access Integer Overflow
NVD
CVSS 4.0
2.1
CVE-2026-40953 MEDIUM PATCH This Month

Heap overflow in Absolute Security Secure Access client certificate parsing causes a local denial of service. Versions prior to 14.55 are affected. An attacker who already holds local administrator privileges on a managed endpoint can trigger the overflow to crash the Secure Access client, effectively disabling it on that machine. No public exploit code has been identified, and this vulnerability is not listed in the CISA KEV catalog.

Denial Of Service Secure Access Buffer Overflow Memory Corruption
NVD VulDB
CVSS 4.0
6.7
CVE-2026-40952 HIGH PATCH This Week

Local privilege escalation in Absolute Secure Access for Windows (client and server) before version 14.55 allows a low-privileged local user to gain Administrator rights when the software is installed to a non-default directory, due to an insecure installer permission configuration. Absolute (formerly NetMotion) assigns this a CVSS 4.0 base score of 8.5 (High), reflecting full local compromise of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Microsoft Information Disclosure Secure Access
NVD
CVSS 4.0
8.5
CVE-2026-40950 HIGH PATCH This Week

Buffer overflow in Absolute Secure Access server (versions before 14.50) allows authenticated remote attackers with modified client software to crash the server through specially crafted messages. This denial-of-service vulnerability requires low-privilege authentication and presents moderate real-world risk given the client modification prerequisite. EPSS data not available; no confirmed active exploitation or public proof-of-concept identified at time of analysis.

Buffer Overflow Stack Overflow Secure Access
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-33449 LOW PATCH Monitor

Buffer overflow in Absolute Secure Access prior to version 14.50 allows remote attackers to cause denial of service by sending a cryptographically valid message to the client, potentially overwriting memory. The vulnerability requires network access and user interaction (UI:P), making it a moderate-complexity attack with low availability impact. Vendor has released a patch available as of the CVE disclosure.

Denial Of Service Buffer Overflow Stack Overflow Secure Access
NVD VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-33447 LOW PATCH Monitor

Buffer overflow in Secure Access message parsing prior to version 14.50 allows remote attackers with control of a modified server to send specially crafted packets that corrupt memory, potentially causing denial of service or limited information disclosure. Attack requires network access, high complexity, and user interaction; CVSS 2.3 reflects limited real-world impact despite the vulnerability class.

Buffer Overflow Stack Overflow Secure Access
NVD VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-33446 LOW PATCH Monitor

Buffer overflow in the authentication subsystem of Absolute Secure Access prior to version 14.50 allows remote attackers controlling a malicious server to send specially crafted packets that corrupt memory, potentially causing denial of service. The vulnerability requires high attack complexity and user interaction, resulting in low confidentiality, integrity, and availability impact. No public exploit code or active exploitation has been identified at the time of analysis.

Buffer Overflow Secure Access
NVD VulDB
CVSS 4.0
2.3
EPSS
0.1%
CVE-2026-0519 LOW Monitor

Secure Access versions up to 14.20 is affected by insertion of sensitive information into log file (CVSS 3.4).

Information Disclosure Secure Access
NVD
CVSS 3.1
3.4
EPSS
0.0%
CVE-2026-0518 MEDIUM This Month

Secure Access versions before 14.20 contain a stored cross-site scripting vulnerability that allows administrators to inject malicious scripts into the console interface. An authenticated admin can exploit this to interfere with other administrators' sessions and potentially steal sensitive information through the compromised console. The vulnerability requires high privileges and user interaction but can impact multiple administrators due to its scope across the application.

XSS Secure Access
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-0517 HIGH This Week

Secure Access Server versions before 14.20 are vulnerable to a network-based denial-of-service attack where unauthenticated attackers can crash the server by sending specially crafted packets. This vulnerability requires no user interaction and is easily exploitable over the network, though no patch is currently available. Organizations running affected versions should implement network-level mitigations to restrict access to the vulnerable service.

Denial Of Service Secure Access
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-59596 MEDIUM This Month

CVE-2025-59596 is a denial-of-service vulnerability in Secure Access Windows client versions 12.0 to 14.10 that is addressed in version 14.12. Rated medium severity (CVSS 6.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Microsoft Secure Access Windows
NVD
CVSS 4.0
6.0
EPSS
0.0%
CVE-2025-59595 HIGH This Month

CVE-2025-59595 is an internally discovered denial of service vulnerability in versions of Secure Access prior to 14.12. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Secure Access
NVD
CVSS 4.0
8.2
EPSS
0.1%
CVE-2025-54088 MEDIUM PATCH This Month

CVE-2025-54088 is an open-redirect vulnerability in Secure Access prior to version 14.10. Attackers with access to the console can redirect victims to an arbitrary URL. The attack complexity is low, attack requirements are present, no privileges are required, and users must actively participate in the attack. Impact to confidentiality is low and there is no impact to integrity or availability. There are high severity impacts to confidentiality, integrity, availability in subsequent systems.

Open Redirect Secure Access
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-49081 MEDIUM PATCH This Month

There is an insufficient input validation vulnerability in the warehouse component of Absolute Secure Access prior to server version 13.55. Attackers with system administrator permissions can impair the availability of the Secure Access administrative UI by writing invalid data to the warehouse over the network. The attack complexity is low, there are no attack requirements, privileges required are high, and there is no user interaction required. There is no impact on confidentiality or integrity; the impact on availability is high.

Information Disclosure Secure Access
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-49080 HIGH PATCH This Week

Memory management vulnerability in Absolute Secure Access server versions 9.0 through 13.54 that allows unauthenticated, network-based attackers to trigger a Denial of Service condition by sending specially crafted packet sequences. The vulnerability requires no privileges or user interaction and has high availability impact (complete service disruption), though no data confidentiality or integrity risk. This is a critical operational risk for organizations dependent on Absolute Secure Access for remote connectivity.

Denial Of Service Memory Corruption Buffer Overflow Secure Access
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-27706 MEDIUM Monitor

CVE-2025-27706 is a cross-site scripting vulnerability in the management console of Absolute Secure Access prior to version 13.54. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Secure Access
NVD
CVSS 4.0
4.6
EPSS
0.2%
CVE-2025-27703 HIGH This Month

CVE-2025-27703 is a privilege escalation vulnerability in the management console of Absolute Secure Access prior to version 13.54. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Secure Access
NVD
CVSS 4.0
7.0
EPSS
0.2%
CVE-2025-27702 MEDIUM This Month

CVE-2025-27702 is a vulnerability in the management console of Absolute Secure Access prior to version 13.54. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Secure Access
NVD
CVSS 4.0
6.9
EPSS
0.2%
CVE-2024-40873 LOW Monitor

There is a cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.07. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Secure Access
NVD
CVSS 3.1
3.4
EPSS
0.3%
CVE-2024-37352 LOW Monitor

There is a cross-site scripting vulnerability in the management UI of Absolute Secure Access prior to version 13.06 that allows attackers with system administrator permissions to interfere with other. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Secure Access
NVD
CVSS 3.1
3.4
EPSS
0.3%
CVE-2024-37351 LOW Monitor

There is a cross-site scripting vulnerability in the management UI of Absolute Secure Access prior to version 13.06. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Secure Access
NVD
CVSS 3.1
3.4
EPSS
0.3%
CVE-2024-37350 MEDIUM This Month

There is a cross-site scripting vulnerability in the policy management UI of Absolute Secure Access prior to version 13.06. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Secure Access
NVD
CVSS 3.1
4.7
EPSS
0.3%
CVE-2024-37349 LOW Monitor

There is a cross-site scripting vulnerability in the management UI of Absolute Secure Access prior to version 13.06. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Secure Access
NVD
CVSS 3.1
3.4
EPSS
0.3%
CVE-2024-37348 LOW Monitor

There is a cross-site scripting vulnerability in the management UI of Absolute Secure Access prior to version 13.06. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Secure Access
NVD
CVSS 3.1
3.4
EPSS
0.3%
CVE-2024-37347 LOW Monitor

There is a cross-site scripting vulnerability in the pool configuration component of the management UI of Absolute Secure Access prior to 13.06. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Secure Access
NVD
CVSS 3.1
3.4
EPSS
0.3%
CVE-2024-37346 MEDIUM This Month

There is an insufficient input validation vulnerability in the Warehouse component of Absolute Secure Access prior to 13.06. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Secure Access
NVD
CVSS 3.1
4.9
EPSS
0.4%
CVE-2024-37345 MEDIUM This Month

There is a cross-site scripting vulnerability in the Secure Access administrative UI of Absolute Secure Access prior to version 13.06. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Secure Access
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2024-37344 LOW Monitor

There is a cross-site scripting vulnerability in the Policy management UI of Absolute Secure Access prior to version 13.06. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Secure Access
NVD
CVSS 3.1
3.4
EPSS
0.3%
CVE-2024-37343 MEDIUM This Month

There is a cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.06. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Secure Access
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVSS 5.1
MEDIUM PATCH This Month

Resource exhaustion in Absolute Security Secure Access publisher (versions prior to 14.55) enables authenticated remote attackers holding valid tunnel credentials to trigger a non-persistent denial of service against the publisher component. The CVSS 4.0 score of 5.1 (Medium) reflects the constrained impact: availability loss is limited and self-recovering, with no confidentiality or integrity exposure. No public exploit code and no CISA KEV listing identified at time of analysis.

Denial Of Service Secure Access
NVD
CVSS 6.9
MEDIUM PATCH This Month

Memory management flaw in Absolute Secure Access prior to version 14.55 allows a remote attacker with deep protocol knowledge and tunnel control to trigger a non-persistent denial-of-service against the server component. Both client and server software are identified as affected per the vendor's own disclosure. No public exploit code and no CISA KEV listing are confirmed at time of analysis, and the non-persistent DoS nature implies the server likely auto-recovers, constraining operational impact.

Information Disclosure Secure Access
NVD
CVSS 8.7
HIGH PATCH This Week

Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows a remote attacker with deep, low-level command of the tunnel protocol to corrupt server-side memory management and keep the server down. The flaw carries a CVSS 4.0 base score of 8.7 driven entirely by an availability (VA:H) impact, with no confidentiality or integrity consequence. No public exploit identified at time of analysis and it is not listed in CISA KEV, so real-world exploitation appears unproven.

Information Disclosure Secure Access
NVD
CVSS 6.9
MEDIUM PATCH This Month

Non-persistent denial-of-service against Absolute Secure Access servers prior to version 14.55 is achievable by an attacker who has intimate knowledge of and total control over the tunnel protocol. The attack exploits a memory management flaw in the server component, causing service disruption that does not persist after the attack ends, meaning the server recovers without administrator intervention. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the network-accessible attack surface warrants patching given Absolute Secure Access is a perimeter access product. Notably, the vendor-supplied tag includes 'Information Disclosure,' which conflicts with the DoS-only description and may indicate additional undisclosed impact.

Information Disclosure Secure Access
NVD
CVSS 7.1
HIGH PATCH This Week

Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows an authenticated tunnel participant to permanently crash or wedge the server by abusing the tunnel protocol. The CVSS 4.0 vector (7.1, PR:L, VA:H) confirms an availability-only impact requiring some level of tunnel authentication, with no confidentiality or integrity effect despite a mislabeled 'Information Disclosure' tag. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

Information Disclosure Secure Access
NVD
CVSS 2.3
LOW PATCH Monitor

Non-persistent denial-of-service affecting Absolute Secure Access clients prior to version 14.55 can be triggered by an attacker who possesses intimate knowledge of and total control over the underlying tunnel protocol, yielding low availability impact limited to the client process. The CVSS 4.0 score of 2.3 reflects the highly constrained exploitation requirements captured by AT:P and UI:P - this is not opportunistic exploitation but a targeted, condition-heavy attack against a specific client. No active exploitation has been identified, no public exploit code exists, and the DoS is explicitly described as non-persistent, meaning the client recovers without lasting damage.

Information Disclosure Secure Access
NVD
CVSS 6.1
MEDIUM PATCH This Month

Frameable content on the Absolute Secure Access server login page (versions prior to 14.55) enables clickjacking attacks that can result in administrator credential theft. An attacker who controls a malicious website can embed the login page in a hidden iframe, luring an unwitting administrator to unknowingly submit their credentials into the framed interface. No public exploit has been identified at time of analysis, and the CVSS 4.0 vector indicates active user interaction is required, limiting opportunistic exploitation.

Secure Access XSS
NVD
CVSS 2.1
LOW PATCH Monitor

Memory disclosure in Absolute Security Secure Access client (versions prior to 14.55) permits a small, indeterminate amount of process memory to leak to an adversary who has already achieved full control over the tunnel protocol. The CVSS 4.0 score of 2.1 accurately reflects the narrow real-world impact: an attacker must simultaneously possess intimate protocol knowledge and the ability to manipulate tunnel communications end-to-end, a prerequisite that dramatically limits the exploitable population. No public exploit code exists and the vulnerability does not appear in the CISA KEV catalog, reinforcing its low operational priority for most enterprises.

Information Disclosure Secure Access
NVD
CVSS 2.1
LOW PATCH Monitor

Integer underflow in the traffic parsing function of Absolute Security Secure Access clients prior to version 14.55 enables a non-persistent denial-of-service condition against the client application. Exploitation demands the attacker possess intimate knowledge of the proprietary tunnel protocol AND maintain total control over that tunnel - an exceptionally high bar that drastically limits realistic attacker population. The impact is restricted to temporarily disrupting the Secure Access client on the victim endpoint; the service recovers without persistent damage. No public exploit code exists and this vulnerability is not listed in CISA KEV.

Information Disclosure Secure Access Integer Overflow
NVD
CVSS 2.1
LOW PATCH Monitor

Integer underflow in Absolute Security's Secure Access client prior to version 14.55 allows an attacker with full control over the tunnel protocol to cause a non-persistent denial of service against the client. The exploitation bar is extremely high - the attacker must possess both intimate knowledge of the proprietary tunnel protocol and total control over the communication channel. No public exploit code exists and this vulnerability is not listed in CISA KEV; the vendor-reported CVSS 4.0 score of 2.1 reflects the negligible real-world risk.

Information Disclosure Secure Access Integer Overflow
NVD
CVSS 6.7
MEDIUM PATCH This Month

Heap overflow in Absolute Security Secure Access client certificate parsing causes a local denial of service. Versions prior to 14.55 are affected. An attacker who already holds local administrator privileges on a managed endpoint can trigger the overflow to crash the Secure Access client, effectively disabling it on that machine. No public exploit code has been identified, and this vulnerability is not listed in the CISA KEV catalog.

Denial Of Service Secure Access Buffer Overflow +1
NVD VulDB
CVSS 8.5
HIGH PATCH This Week

Local privilege escalation in Absolute Secure Access for Windows (client and server) before version 14.55 allows a low-privileged local user to gain Administrator rights when the software is installed to a non-default directory, due to an insecure installer permission configuration. Absolute (formerly NetMotion) assigns this a CVSS 4.0 base score of 8.5 (High), reflecting full local compromise of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Microsoft Information Disclosure Secure Access
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Buffer overflow in Absolute Secure Access server (versions before 14.50) allows authenticated remote attackers with modified client software to crash the server through specially crafted messages. This denial-of-service vulnerability requires low-privilege authentication and presents moderate real-world risk given the client modification prerequisite. EPSS data not available; no confirmed active exploitation or public proof-of-concept identified at time of analysis.

Buffer Overflow Stack Overflow Secure Access
NVD VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Buffer overflow in Absolute Secure Access prior to version 14.50 allows remote attackers to cause denial of service by sending a cryptographically valid message to the client, potentially overwriting memory. The vulnerability requires network access and user interaction (UI:P), making it a moderate-complexity attack with low availability impact. Vendor has released a patch available as of the CVE disclosure.

Denial Of Service Buffer Overflow Stack Overflow +1
NVD VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Buffer overflow in Secure Access message parsing prior to version 14.50 allows remote attackers with control of a modified server to send specially crafted packets that corrupt memory, potentially causing denial of service or limited information disclosure. Attack requires network access, high complexity, and user interaction; CVSS 2.3 reflects limited real-world impact despite the vulnerability class.

Buffer Overflow Stack Overflow Secure Access
NVD VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Buffer overflow in the authentication subsystem of Absolute Secure Access prior to version 14.50 allows remote attackers controlling a malicious server to send specially crafted packets that corrupt memory, potentially causing denial of service. The vulnerability requires high attack complexity and user interaction, resulting in low confidentiality, integrity, and availability impact. No public exploit code or active exploitation has been identified at the time of analysis.

Buffer Overflow Secure Access
NVD VulDB
EPSS 0% CVSS 3.4
LOW Monitor

Secure Access versions up to 14.20 is affected by insertion of sensitive information into log file (CVSS 3.4).

Information Disclosure Secure Access
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

Secure Access versions before 14.20 contain a stored cross-site scripting vulnerability that allows administrators to inject malicious scripts into the console interface. An authenticated admin can exploit this to interfere with other administrators' sessions and potentially steal sensitive information through the compromised console. The vulnerability requires high privileges and user interaction but can impact multiple administrators due to its scope across the application.

XSS Secure Access
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Secure Access Server versions before 14.20 are vulnerable to a network-based denial-of-service attack where unauthenticated attackers can crash the server by sending specially crafted packets. This vulnerability requires no user interaction and is easily exploitable over the network, though no patch is currently available. Organizations running affected versions should implement network-level mitigations to restrict access to the vulnerable service.

Denial Of Service Secure Access
NVD
EPSS 0% CVSS 6.0
MEDIUM This Month

CVE-2025-59596 is a denial-of-service vulnerability in Secure Access Windows client versions 12.0 to 14.10 that is addressed in version 14.12. Rated medium severity (CVSS 6.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Microsoft Secure Access +1
NVD
EPSS 0% CVSS 8.2
HIGH This Month

CVE-2025-59595 is an internally discovered denial of service vulnerability in versions of Secure Access prior to 14.12. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Secure Access
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

CVE-2025-54088 is an open-redirect vulnerability in Secure Access prior to version 14.10. Attackers with access to the console can redirect victims to an arbitrary URL. The attack complexity is low, attack requirements are present, no privileges are required, and users must actively participate in the attack. Impact to confidentiality is low and there is no impact to integrity or availability. There are high severity impacts to confidentiality, integrity, availability in subsequent systems.

Open Redirect Secure Access
NVD
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

There is an insufficient input validation vulnerability in the warehouse component of Absolute Secure Access prior to server version 13.55. Attackers with system administrator permissions can impair the availability of the Secure Access administrative UI by writing invalid data to the warehouse over the network. The attack complexity is low, there are no attack requirements, privileges required are high, and there is no user interaction required. There is no impact on confidentiality or integrity; the impact on availability is high.

Information Disclosure Secure Access
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Memory management vulnerability in Absolute Secure Access server versions 9.0 through 13.54 that allows unauthenticated, network-based attackers to trigger a Denial of Service condition by sending specially crafted packet sequences. The vulnerability requires no privileges or user interaction and has high availability impact (complete service disruption), though no data confidentiality or integrity risk. This is a critical operational risk for organizations dependent on Absolute Secure Access for remote connectivity.

Denial Of Service Memory Corruption Buffer Overflow +1
NVD
EPSS 0% CVSS 4.6
MEDIUM Monitor

CVE-2025-27706 is a cross-site scripting vulnerability in the management console of Absolute Secure Access prior to version 13.54. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Secure Access
NVD
EPSS 0% CVSS 7.0
HIGH This Month

CVE-2025-27703 is a privilege escalation vulnerability in the management console of Absolute Secure Access prior to version 13.54. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Secure Access
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

CVE-2025-27702 is a vulnerability in the management console of Absolute Secure Access prior to version 13.54. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Secure Access
NVD
EPSS 0% CVSS 3.4
LOW Monitor

There is a cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.07. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Secure Access
NVD
EPSS 0% CVSS 3.4
LOW Monitor

There is a cross-site scripting vulnerability in the management UI of Absolute Secure Access prior to version 13.06 that allows attackers with system administrator permissions to interfere with other. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Secure Access
NVD
EPSS 0% CVSS 3.4
LOW Monitor

There is a cross-site scripting vulnerability in the management UI of Absolute Secure Access prior to version 13.06. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Secure Access
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

There is a cross-site scripting vulnerability in the policy management UI of Absolute Secure Access prior to version 13.06. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Secure Access
NVD
EPSS 0% CVSS 3.4
LOW Monitor

There is a cross-site scripting vulnerability in the management UI of Absolute Secure Access prior to version 13.06. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Secure Access
NVD
EPSS 0% CVSS 3.4
LOW Monitor

There is a cross-site scripting vulnerability in the management UI of Absolute Secure Access prior to version 13.06. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Secure Access
NVD
EPSS 0% CVSS 3.4
LOW Monitor

There is a cross-site scripting vulnerability in the pool configuration component of the management UI of Absolute Secure Access prior to 13.06. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Secure Access
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

There is an insufficient input validation vulnerability in the Warehouse component of Absolute Secure Access prior to 13.06. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Secure Access
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

There is a cross-site scripting vulnerability in the Secure Access administrative UI of Absolute Secure Access prior to version 13.06. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Secure Access
NVD
EPSS 0% CVSS 3.4
LOW Monitor

There is a cross-site scripting vulnerability in the Policy management UI of Absolute Secure Access prior to version 13.06. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Secure Access
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

There is a cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.06. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Secure Access
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy