cbcvebase.
CVE-2025-25231
published 2025-08-11

CVE-2025-25231: Omnissa Workspace ONE UEM contains a Secondary Context Path Traversal Vulnerability. A malicious actor may be able to gain access to sensitive information by…

PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
19.08%
97.0th percentile
Omnissa Workspace ONE UEM contains a Secondary Context Path Traversal Vulnerability. A malicious actor may be able to gain access to sensitive information by sending crafted GET requests (read-only) to restricted API endpoints.

Affected

4 ranges
VendorProductVersion rangeFixed in
omnissaomnissa_workspace_one_uem
omnissaomnissa_workspace_one_uem
omnissaomnissa_workspace_one_uem
omnissaomnissa_workspace_one_uem

Detection & IOCsextracted from sources · hover to see the quote

url/DevicesGateway/apps/system-app-metadata/1?packageId=../../../../API/system/groups/apikeys%3fogname=Global
url/DevicesGateway/apps/system-app-metadata/1?packageId=../../../../API/system/admins/search?status=active%3fogname=Global
path/DevicesGateway/apps/system-app-metadata/
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Omnissa Workspace One Path Traversal (CVE-2025-25231)"; flow:established,to_server; http.uri; content:"/DevicesGateway/apps/system-app-metadata/"; fast_pattern; startswith; content:"packageId|3d|"; pcre:"/^[^&]*?(?:(?:\x2e|%(?:25)?2[Ee]){1,2}(?:\x2f|\x5c|%(?:25)?5[Cc]|%(?:25)?2[Ff]){1,}){2,}/R"; reference:url,www.picussecurity.com/resource/blog/omnissa-workspace-one-cve-2025-25231-path-traversal-exploit; reference:cve,2025-25231; classtype:web-application-attack; sid:2066456; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_12_24, cve CVE_2025_25231, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_12_24, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
  • Exploit targets the /DevicesGateway/apps/system-app-metadata/ endpoint via GET requests with a crafted 'packageId' parameter containing path traversal sequences (e.g., ../../../../) to reach restricted API endpoints such as /API/system/groups/apikeys and /API/system/admins/search.
  • Successful exploitation of the API keys endpoint returns a JSON response body containing 'service_name' and 'api_key' fields with HTTP 200 and Content-Type application/json.
  • Successful exploitation of the admin search endpoint returns an XML response body containing 'AdminUser' and 'Uuid' fields with HTTP 200 and Content-Type application/xml.
  • The Snort/Suricata PCRE pattern matches URL-encoded and double-encoded dot-dot-slash traversal sequences in the packageId parameter value: /^[^&]*?(?:(?:\x2e|%(?:25)?2[Ee]){1,2}(?:\x2f|\x5c|%(?:25)?5[Cc]|%(?:25)?2[Ff]){1,}){2,}/R
  • FOFA and Shodan fingerprints for identifying exposed Workspace ONE UEM instances: banner or header containing '/airwatch/default.aspx'.
  • The %3f sequence in the packageId parameter is a URL-encoded '?' used to inject query parameters into the traversed path, bypassing endpoint restrictions.
  • ·The Snort rule (sid:2066456) requires TLS decryption to be effective, as indicated by the deployment metadata; without SSL inspection, encrypted traffic will not be inspected.
  • ·The exploit is read-only (crafted GET requests only); no write/modify capability is indicated, but sensitive data such as API keys and admin user UUIDs/emails can be exfiltrated.
  • ·The Nuclei template uses a flow of http(1) OR http(2), meaning either of the two request variants independently confirms exploitation; both target different restricted API endpoints.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.