Secure Access
Monthly
Resource exhaustion in Absolute Security Secure Access publisher (versions prior to 14.55) enables authenticated remote attackers holding valid tunnel credentials to trigger a non-persistent denial of service against the publisher component. The CVSS 4.0 score of 5.1 (Medium) reflects the constrained impact: availability loss is limited and self-recovering, with no confidentiality or integrity exposure. No public exploit code and no CISA KEV listing identified at time of analysis.
Memory management flaw in Absolute Secure Access prior to version 14.55 allows a remote attacker with deep protocol knowledge and tunnel control to trigger a non-persistent denial-of-service against the server component. Both client and server software are identified as affected per the vendor's own disclosure. No public exploit code and no CISA KEV listing are confirmed at time of analysis, and the non-persistent DoS nature implies the server likely auto-recovers, constraining operational impact.
Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows a remote attacker with deep, low-level command of the tunnel protocol to corrupt server-side memory management and keep the server down. The flaw carries a CVSS 4.0 base score of 8.7 driven entirely by an availability (VA:H) impact, with no confidentiality or integrity consequence. No public exploit identified at time of analysis and it is not listed in CISA KEV, so real-world exploitation appears unproven.
Non-persistent denial-of-service against Absolute Secure Access servers prior to version 14.55 is achievable by an attacker who has intimate knowledge of and total control over the tunnel protocol. The attack exploits a memory management flaw in the server component, causing service disruption that does not persist after the attack ends, meaning the server recovers without administrator intervention. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the network-accessible attack surface warrants patching given Absolute Secure Access is a perimeter access product. Notably, the vendor-supplied tag includes 'Information Disclosure,' which conflicts with the DoS-only description and may indicate additional undisclosed impact.
Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows an authenticated tunnel participant to permanently crash or wedge the server by abusing the tunnel protocol. The CVSS 4.0 vector (7.1, PR:L, VA:H) confirms an availability-only impact requiring some level of tunnel authentication, with no confidentiality or integrity effect despite a mislabeled 'Information Disclosure' tag. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Non-persistent denial-of-service affecting Absolute Secure Access clients prior to version 14.55 can be triggered by an attacker who possesses intimate knowledge of and total control over the underlying tunnel protocol, yielding low availability impact limited to the client process. The CVSS 4.0 score of 2.3 reflects the highly constrained exploitation requirements captured by AT:P and UI:P - this is not opportunistic exploitation but a targeted, condition-heavy attack against a specific client. No active exploitation has been identified, no public exploit code exists, and the DoS is explicitly described as non-persistent, meaning the client recovers without lasting damage.
Frameable content on the Absolute Secure Access server login page (versions prior to 14.55) enables clickjacking attacks that can result in administrator credential theft. An attacker who controls a malicious website can embed the login page in a hidden iframe, luring an unwitting administrator to unknowingly submit their credentials into the framed interface. No public exploit has been identified at time of analysis, and the CVSS 4.0 vector indicates active user interaction is required, limiting opportunistic exploitation.
Memory disclosure in Absolute Security Secure Access client (versions prior to 14.55) permits a small, indeterminate amount of process memory to leak to an adversary who has already achieved full control over the tunnel protocol. The CVSS 4.0 score of 2.1 accurately reflects the narrow real-world impact: an attacker must simultaneously possess intimate protocol knowledge and the ability to manipulate tunnel communications end-to-end, a prerequisite that dramatically limits the exploitable population. No public exploit code exists and the vulnerability does not appear in the CISA KEV catalog, reinforcing its low operational priority for most enterprises.
Integer underflow in the traffic parsing function of Absolute Security Secure Access clients prior to version 14.55 enables a non-persistent denial-of-service condition against the client application. Exploitation demands the attacker possess intimate knowledge of the proprietary tunnel protocol AND maintain total control over that tunnel - an exceptionally high bar that drastically limits realistic attacker population. The impact is restricted to temporarily disrupting the Secure Access client on the victim endpoint; the service recovers without persistent damage. No public exploit code exists and this vulnerability is not listed in CISA KEV.
Integer underflow in Absolute Security's Secure Access client prior to version 14.55 allows an attacker with full control over the tunnel protocol to cause a non-persistent denial of service against the client. The exploitation bar is extremely high - the attacker must possess both intimate knowledge of the proprietary tunnel protocol and total control over the communication channel. No public exploit code exists and this vulnerability is not listed in CISA KEV; the vendor-reported CVSS 4.0 score of 2.1 reflects the negligible real-world risk.
Heap overflow in Absolute Security Secure Access client certificate parsing causes a local denial of service. Versions prior to 14.55 are affected. An attacker who already holds local administrator privileges on a managed endpoint can trigger the overflow to crash the Secure Access client, effectively disabling it on that machine. No public exploit code has been identified, and this vulnerability is not listed in the CISA KEV catalog.
Local privilege escalation in Absolute Secure Access for Windows (client and server) before version 14.55 allows a low-privileged local user to gain Administrator rights when the software is installed to a non-default directory, due to an insecure installer permission configuration. Absolute (formerly NetMotion) assigns this a CVSS 4.0 base score of 8.5 (High), reflecting full local compromise of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Buffer overflow in Absolute Secure Access server (versions before 14.50) allows authenticated remote attackers with modified client software to crash the server through specially crafted messages. This denial-of-service vulnerability requires low-privilege authentication and presents moderate real-world risk given the client modification prerequisite. EPSS data not available; no confirmed active exploitation or public proof-of-concept identified at time of analysis.
Buffer overflow in Absolute Secure Access prior to version 14.50 allows remote attackers to cause denial of service by sending a cryptographically valid message to the client, potentially overwriting memory. The vulnerability requires network access and user interaction (UI:P), making it a moderate-complexity attack with low availability impact. Vendor has released a patch available as of the CVE disclosure.
Buffer overflow in Secure Access message parsing prior to version 14.50 allows remote attackers with control of a modified server to send specially crafted packets that corrupt memory, potentially causing denial of service or limited information disclosure. Attack requires network access, high complexity, and user interaction; CVSS 2.3 reflects limited real-world impact despite the vulnerability class.
Buffer overflow in the authentication subsystem of Absolute Secure Access prior to version 14.50 allows remote attackers controlling a malicious server to send specially crafted packets that corrupt memory, potentially causing denial of service. The vulnerability requires high attack complexity and user interaction, resulting in low confidentiality, integrity, and availability impact. No public exploit code or active exploitation has been identified at the time of analysis.
Secure Access versions up to 14.20 is affected by insertion of sensitive information into log file (CVSS 3.4).
Secure Access versions before 14.20 contain a stored cross-site scripting vulnerability that allows administrators to inject malicious scripts into the console interface. An authenticated admin can exploit this to interfere with other administrators' sessions and potentially steal sensitive information through the compromised console. The vulnerability requires high privileges and user interaction but can impact multiple administrators due to its scope across the application.
Secure Access Server versions before 14.20 are vulnerable to a network-based denial-of-service attack where unauthenticated attackers can crash the server by sending specially crafted packets. This vulnerability requires no user interaction and is easily exploitable over the network, though no patch is currently available. Organizations running affected versions should implement network-level mitigations to restrict access to the vulnerable service.
CVE-2025-59596 is a denial-of-service vulnerability in Secure Access Windows client versions 12.0 to 14.10 that is addressed in version 14.12. Rated medium severity (CVSS 6.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
CVE-2025-59595 is an internally discovered denial of service vulnerability in versions of Secure Access prior to 14.12. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
CVE-2025-54088 is an open-redirect vulnerability in Secure Access prior to version 14.10. Attackers with access to the console can redirect victims to an arbitrary URL. The attack complexity is low, attack requirements are present, no privileges are required, and users must actively participate in the attack. Impact to confidentiality is low and there is no impact to integrity or availability. There are high severity impacts to confidentiality, integrity, availability in subsequent systems.
There is an insufficient input validation vulnerability in the warehouse component of Absolute Secure Access prior to server version 13.55. Attackers with system administrator permissions can impair the availability of the Secure Access administrative UI by writing invalid data to the warehouse over the network. The attack complexity is low, there are no attack requirements, privileges required are high, and there is no user interaction required. There is no impact on confidentiality or integrity; the impact on availability is high.
Memory management vulnerability in Absolute Secure Access server versions 9.0 through 13.54 that allows unauthenticated, network-based attackers to trigger a Denial of Service condition by sending specially crafted packet sequences. The vulnerability requires no privileges or user interaction and has high availability impact (complete service disruption), though no data confidentiality or integrity risk. This is a critical operational risk for organizations dependent on Absolute Secure Access for remote connectivity.
CVE-2025-27706 is a cross-site scripting vulnerability in the management console of Absolute Secure Access prior to version 13.54. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
CVE-2025-27703 is a privilege escalation vulnerability in the management console of Absolute Secure Access prior to version 13.54. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
CVE-2025-27702 is a vulnerability in the management console of Absolute Secure Access prior to version 13.54. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
There is a cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.07. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
There is a cross-site scripting vulnerability in the management UI of Absolute Secure Access prior to version 13.06 that allows attackers with system administrator permissions to interfere with other. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
There is a cross-site scripting vulnerability in the management UI of Absolute Secure Access prior to version 13.06. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
There is a cross-site scripting vulnerability in the policy management UI of Absolute Secure Access prior to version 13.06. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
There is a cross-site scripting vulnerability in the management UI of Absolute Secure Access prior to version 13.06. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
There is a cross-site scripting vulnerability in the management UI of Absolute Secure Access prior to version 13.06. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
There is a cross-site scripting vulnerability in the pool configuration component of the management UI of Absolute Secure Access prior to 13.06. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
There is an insufficient input validation vulnerability in the Warehouse component of Absolute Secure Access prior to 13.06. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
There is a cross-site scripting vulnerability in the Secure Access administrative UI of Absolute Secure Access prior to version 13.06. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
There is a cross-site scripting vulnerability in the Policy management UI of Absolute Secure Access prior to version 13.06. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
There is a cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.06. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Resource exhaustion in Absolute Security Secure Access publisher (versions prior to 14.55) enables authenticated remote attackers holding valid tunnel credentials to trigger a non-persistent denial of service against the publisher component. The CVSS 4.0 score of 5.1 (Medium) reflects the constrained impact: availability loss is limited and self-recovering, with no confidentiality or integrity exposure. No public exploit code and no CISA KEV listing identified at time of analysis.
Memory management flaw in Absolute Secure Access prior to version 14.55 allows a remote attacker with deep protocol knowledge and tunnel control to trigger a non-persistent denial-of-service against the server component. Both client and server software are identified as affected per the vendor's own disclosure. No public exploit code and no CISA KEV listing are confirmed at time of analysis, and the non-persistent DoS nature implies the server likely auto-recovers, constraining operational impact.
Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows a remote attacker with deep, low-level command of the tunnel protocol to corrupt server-side memory management and keep the server down. The flaw carries a CVSS 4.0 base score of 8.7 driven entirely by an availability (VA:H) impact, with no confidentiality or integrity consequence. No public exploit identified at time of analysis and it is not listed in CISA KEV, so real-world exploitation appears unproven.
Non-persistent denial-of-service against Absolute Secure Access servers prior to version 14.55 is achievable by an attacker who has intimate knowledge of and total control over the tunnel protocol. The attack exploits a memory management flaw in the server component, causing service disruption that does not persist after the attack ends, meaning the server recovers without administrator intervention. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the network-accessible attack surface warrants patching given Absolute Secure Access is a perimeter access product. Notably, the vendor-supplied tag includes 'Information Disclosure,' which conflicts with the DoS-only description and may indicate additional undisclosed impact.
Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows an authenticated tunnel participant to permanently crash or wedge the server by abusing the tunnel protocol. The CVSS 4.0 vector (7.1, PR:L, VA:H) confirms an availability-only impact requiring some level of tunnel authentication, with no confidentiality or integrity effect despite a mislabeled 'Information Disclosure' tag. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Non-persistent denial-of-service affecting Absolute Secure Access clients prior to version 14.55 can be triggered by an attacker who possesses intimate knowledge of and total control over the underlying tunnel protocol, yielding low availability impact limited to the client process. The CVSS 4.0 score of 2.3 reflects the highly constrained exploitation requirements captured by AT:P and UI:P - this is not opportunistic exploitation but a targeted, condition-heavy attack against a specific client. No active exploitation has been identified, no public exploit code exists, and the DoS is explicitly described as non-persistent, meaning the client recovers without lasting damage.
Frameable content on the Absolute Secure Access server login page (versions prior to 14.55) enables clickjacking attacks that can result in administrator credential theft. An attacker who controls a malicious website can embed the login page in a hidden iframe, luring an unwitting administrator to unknowingly submit their credentials into the framed interface. No public exploit has been identified at time of analysis, and the CVSS 4.0 vector indicates active user interaction is required, limiting opportunistic exploitation.
Memory disclosure in Absolute Security Secure Access client (versions prior to 14.55) permits a small, indeterminate amount of process memory to leak to an adversary who has already achieved full control over the tunnel protocol. The CVSS 4.0 score of 2.1 accurately reflects the narrow real-world impact: an attacker must simultaneously possess intimate protocol knowledge and the ability to manipulate tunnel communications end-to-end, a prerequisite that dramatically limits the exploitable population. No public exploit code exists and the vulnerability does not appear in the CISA KEV catalog, reinforcing its low operational priority for most enterprises.
Integer underflow in the traffic parsing function of Absolute Security Secure Access clients prior to version 14.55 enables a non-persistent denial-of-service condition against the client application. Exploitation demands the attacker possess intimate knowledge of the proprietary tunnel protocol AND maintain total control over that tunnel - an exceptionally high bar that drastically limits realistic attacker population. The impact is restricted to temporarily disrupting the Secure Access client on the victim endpoint; the service recovers without persistent damage. No public exploit code exists and this vulnerability is not listed in CISA KEV.
Integer underflow in Absolute Security's Secure Access client prior to version 14.55 allows an attacker with full control over the tunnel protocol to cause a non-persistent denial of service against the client. The exploitation bar is extremely high - the attacker must possess both intimate knowledge of the proprietary tunnel protocol and total control over the communication channel. No public exploit code exists and this vulnerability is not listed in CISA KEV; the vendor-reported CVSS 4.0 score of 2.1 reflects the negligible real-world risk.
Heap overflow in Absolute Security Secure Access client certificate parsing causes a local denial of service. Versions prior to 14.55 are affected. An attacker who already holds local administrator privileges on a managed endpoint can trigger the overflow to crash the Secure Access client, effectively disabling it on that machine. No public exploit code has been identified, and this vulnerability is not listed in the CISA KEV catalog.
Local privilege escalation in Absolute Secure Access for Windows (client and server) before version 14.55 allows a low-privileged local user to gain Administrator rights when the software is installed to a non-default directory, due to an insecure installer permission configuration. Absolute (formerly NetMotion) assigns this a CVSS 4.0 base score of 8.5 (High), reflecting full local compromise of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Buffer overflow in Absolute Secure Access server (versions before 14.50) allows authenticated remote attackers with modified client software to crash the server through specially crafted messages. This denial-of-service vulnerability requires low-privilege authentication and presents moderate real-world risk given the client modification prerequisite. EPSS data not available; no confirmed active exploitation or public proof-of-concept identified at time of analysis.
Buffer overflow in Absolute Secure Access prior to version 14.50 allows remote attackers to cause denial of service by sending a cryptographically valid message to the client, potentially overwriting memory. The vulnerability requires network access and user interaction (UI:P), making it a moderate-complexity attack with low availability impact. Vendor has released a patch available as of the CVE disclosure.
Buffer overflow in Secure Access message parsing prior to version 14.50 allows remote attackers with control of a modified server to send specially crafted packets that corrupt memory, potentially causing denial of service or limited information disclosure. Attack requires network access, high complexity, and user interaction; CVSS 2.3 reflects limited real-world impact despite the vulnerability class.
Buffer overflow in the authentication subsystem of Absolute Secure Access prior to version 14.50 allows remote attackers controlling a malicious server to send specially crafted packets that corrupt memory, potentially causing denial of service. The vulnerability requires high attack complexity and user interaction, resulting in low confidentiality, integrity, and availability impact. No public exploit code or active exploitation has been identified at the time of analysis.
Secure Access versions up to 14.20 is affected by insertion of sensitive information into log file (CVSS 3.4).
Secure Access versions before 14.20 contain a stored cross-site scripting vulnerability that allows administrators to inject malicious scripts into the console interface. An authenticated admin can exploit this to interfere with other administrators' sessions and potentially steal sensitive information through the compromised console. The vulnerability requires high privileges and user interaction but can impact multiple administrators due to its scope across the application.
Secure Access Server versions before 14.20 are vulnerable to a network-based denial-of-service attack where unauthenticated attackers can crash the server by sending specially crafted packets. This vulnerability requires no user interaction and is easily exploitable over the network, though no patch is currently available. Organizations running affected versions should implement network-level mitigations to restrict access to the vulnerable service.
CVE-2025-59596 is a denial-of-service vulnerability in Secure Access Windows client versions 12.0 to 14.10 that is addressed in version 14.12. Rated medium severity (CVSS 6.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
CVE-2025-59595 is an internally discovered denial of service vulnerability in versions of Secure Access prior to 14.12. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
CVE-2025-54088 is an open-redirect vulnerability in Secure Access prior to version 14.10. Attackers with access to the console can redirect victims to an arbitrary URL. The attack complexity is low, attack requirements are present, no privileges are required, and users must actively participate in the attack. Impact to confidentiality is low and there is no impact to integrity or availability. There are high severity impacts to confidentiality, integrity, availability in subsequent systems.
There is an insufficient input validation vulnerability in the warehouse component of Absolute Secure Access prior to server version 13.55. Attackers with system administrator permissions can impair the availability of the Secure Access administrative UI by writing invalid data to the warehouse over the network. The attack complexity is low, there are no attack requirements, privileges required are high, and there is no user interaction required. There is no impact on confidentiality or integrity; the impact on availability is high.
Memory management vulnerability in Absolute Secure Access server versions 9.0 through 13.54 that allows unauthenticated, network-based attackers to trigger a Denial of Service condition by sending specially crafted packet sequences. The vulnerability requires no privileges or user interaction and has high availability impact (complete service disruption), though no data confidentiality or integrity risk. This is a critical operational risk for organizations dependent on Absolute Secure Access for remote connectivity.
CVE-2025-27706 is a cross-site scripting vulnerability in the management console of Absolute Secure Access prior to version 13.54. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
CVE-2025-27703 is a privilege escalation vulnerability in the management console of Absolute Secure Access prior to version 13.54. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
CVE-2025-27702 is a vulnerability in the management console of Absolute Secure Access prior to version 13.54. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
There is a cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.07. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
There is a cross-site scripting vulnerability in the management UI of Absolute Secure Access prior to version 13.06 that allows attackers with system administrator permissions to interfere with other. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
There is a cross-site scripting vulnerability in the management UI of Absolute Secure Access prior to version 13.06. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
There is a cross-site scripting vulnerability in the policy management UI of Absolute Secure Access prior to version 13.06. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
There is a cross-site scripting vulnerability in the management UI of Absolute Secure Access prior to version 13.06. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
There is a cross-site scripting vulnerability in the management UI of Absolute Secure Access prior to version 13.06. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
There is a cross-site scripting vulnerability in the pool configuration component of the management UI of Absolute Secure Access prior to 13.06. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
There is an insufficient input validation vulnerability in the Warehouse component of Absolute Secure Access prior to 13.06. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
There is a cross-site scripting vulnerability in the Secure Access administrative UI of Absolute Secure Access prior to version 13.06. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
There is a cross-site scripting vulnerability in the Policy management UI of Absolute Secure Access prior to version 13.06. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
There is a cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.06. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.