Secure Access
Monthly
Secure Access versions before 14.20 contain a stored cross-site scripting vulnerability that allows administrators to inject malicious scripts into the console interface. An authenticated admin can exploit this to interfere with other administrators' sessions and potentially steal sensitive information through the compromised console. The vulnerability requires high privileges and user interaction but can impact multiple administrators due to its scope across the application.
Secure Access Server versions before 14.20 are vulnerable to a network-based denial-of-service attack where unauthenticated attackers can crash the server by sending specially crafted packets. This vulnerability requires no user interaction and is easily exploitable over the network, though no patch is currently available. Organizations running affected versions should implement network-level mitigations to restrict access to the vulnerable service.
CVE-2025-59596 is a denial-of-service vulnerability in Secure Access Windows client versions 12.0 to 14.10 that is addressed in version 14.12. Rated medium severity (CVSS 6.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
CVE-2025-59595 is an internally discovered denial of service vulnerability in versions of Secure Access prior to 14.12. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
CVE-2025-54088 is an open-redirect vulnerability in Secure Access prior to version 14.10. Attackers with access to the console can redirect victims to an arbitrary URL. The attack complexity is low, attack requirements are present, no privileges are required, and users must actively participate in the attack. Impact to confidentiality is low and there is no impact to integrity or availability. There are high severity impacts to confidentiality, integrity, availability in subsequent systems.
There is an insufficient input validation vulnerability in the warehouse component of Absolute Secure Access prior to server version 13.55. Attackers with system administrator permissions can impair the availability of the Secure Access administrative UI by writing invalid data to the warehouse over the network. The attack complexity is low, there are no attack requirements, privileges required are high, and there is no user interaction required. There is no impact on confidentiality or integrity; the impact on availability is high.
Memory management vulnerability in Absolute Secure Access server versions 9.0 through 13.54 that allows unauthenticated, network-based attackers to trigger a Denial of Service condition by sending specially crafted packet sequences. The vulnerability requires no privileges or user interaction and has high availability impact (complete service disruption), though no data confidentiality or integrity risk. This is a critical operational risk for organizations dependent on Absolute Secure Access for remote connectivity.
CVE-2025-27706 is a cross-site scripting vulnerability in the management console of Absolute Secure Access prior to version 13.54. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
CVE-2025-27703 is a privilege escalation vulnerability in the management console of Absolute Secure Access prior to version 13.54. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
CVE-2025-27702 is a vulnerability in the management console of Absolute Secure Access prior to version 13.54. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Secure Access versions before 14.20 contain a stored cross-site scripting vulnerability that allows administrators to inject malicious scripts into the console interface. An authenticated admin can exploit this to interfere with other administrators' sessions and potentially steal sensitive information through the compromised console. The vulnerability requires high privileges and user interaction but can impact multiple administrators due to its scope across the application.
Secure Access Server versions before 14.20 are vulnerable to a network-based denial-of-service attack where unauthenticated attackers can crash the server by sending specially crafted packets. This vulnerability requires no user interaction and is easily exploitable over the network, though no patch is currently available. Organizations running affected versions should implement network-level mitigations to restrict access to the vulnerable service.
CVE-2025-59596 is a denial-of-service vulnerability in Secure Access Windows client versions 12.0 to 14.10 that is addressed in version 14.12. Rated medium severity (CVSS 6.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
CVE-2025-59595 is an internally discovered denial of service vulnerability in versions of Secure Access prior to 14.12. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
CVE-2025-54088 is an open-redirect vulnerability in Secure Access prior to version 14.10. Attackers with access to the console can redirect victims to an arbitrary URL. The attack complexity is low, attack requirements are present, no privileges are required, and users must actively participate in the attack. Impact to confidentiality is low and there is no impact to integrity or availability. There are high severity impacts to confidentiality, integrity, availability in subsequent systems.
There is an insufficient input validation vulnerability in the warehouse component of Absolute Secure Access prior to server version 13.55. Attackers with system administrator permissions can impair the availability of the Secure Access administrative UI by writing invalid data to the warehouse over the network. The attack complexity is low, there are no attack requirements, privileges required are high, and there is no user interaction required. There is no impact on confidentiality or integrity; the impact on availability is high.
Memory management vulnerability in Absolute Secure Access server versions 9.0 through 13.54 that allows unauthenticated, network-based attackers to trigger a Denial of Service condition by sending specially crafted packet sequences. The vulnerability requires no privileges or user interaction and has high availability impact (complete service disruption), though no data confidentiality or integrity risk. This is a critical operational risk for organizations dependent on Absolute Secure Access for remote connectivity.
CVE-2025-27706 is a cross-site scripting vulnerability in the management console of Absolute Secure Access prior to version 13.54. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
CVE-2025-27703 is a privilege escalation vulnerability in the management console of Absolute Secure Access prior to version 13.54. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
CVE-2025-27702 is a vulnerability in the management console of Absolute Secure Access prior to version 13.54. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.