CVE-2025-25231
published 2025-08-11CVE-2025-25231: Omnissa Workspace ONE UEM contains a Secondary Context Path Traversal Vulnerability. A malicious actor may be able to gain access to sensitive information by…
PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
19.08%
97.0th percentile
Omnissa Workspace ONE UEM contains a Secondary Context Path Traversal Vulnerability. A malicious actor may be able to gain access to sensitive information by sending crafted GET requests (read-only) to restricted API endpoints.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| omnissa | omnissa_workspace_one_uem | — | — |
| omnissa | omnissa_workspace_one_uem | — | — |
| omnissa | omnissa_workspace_one_uem | — | — |
| omnissa | omnissa_workspace_one_uem | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/DevicesGateway/apps/system-app-metadata/1?packageId=../../../../API/system/groups/apikeys%3fogname=Global
url/DevicesGateway/apps/system-app-metadata/1?packageId=../../../../API/system/admins/search?status=active%3fogname=Global
path/DevicesGateway/apps/system-app-metadata/
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Omnissa Workspace One Path Traversal (CVE-2025-25231)"; flow:established,to_server; http.uri; content:"/DevicesGateway/apps/system-app-metadata/"; fast_pattern; startswith; content:"packageId|3d|"; pcre:"/^[^&]*?(?:(?:\x2e|%(?:25)?2[Ee]){1,2}(?:\x2f|\x5c|%(?:25)?5[Cc]|%(?:25)?2[Ff]){1,}){2,}/R"; reference:url,www.picussecurity.com/resource/blog/omnissa-workspace-one-cve-2025-25231-path-traversal-exploit; reference:cve,2025-25231; classtype:web-application-attack; sid:2066456; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_12_24, cve CVE_2025_25231, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_12_24, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)- →Exploit targets the /DevicesGateway/apps/system-app-metadata/ endpoint via GET requests with a crafted 'packageId' parameter containing path traversal sequences (e.g., ../../../../) to reach restricted API endpoints such as /API/system/groups/apikeys and /API/system/admins/search.
- →Successful exploitation of the API keys endpoint returns a JSON response body containing 'service_name' and 'api_key' fields with HTTP 200 and Content-Type application/json.
- →Successful exploitation of the admin search endpoint returns an XML response body containing 'AdminUser' and 'Uuid' fields with HTTP 200 and Content-Type application/xml.
- →The Snort/Suricata PCRE pattern matches URL-encoded and double-encoded dot-dot-slash traversal sequences in the packageId parameter value: /^[^&]*?(?:(?:\x2e|%(?:25)?2[Ee]){1,2}(?:\x2f|\x5c|%(?:25)?5[Cc]|%(?:25)?2[Ff]){1,}){2,}/R
- →FOFA and Shodan fingerprints for identifying exposed Workspace ONE UEM instances: banner or header containing '/airwatch/default.aspx'.
- →The %3f sequence in the packageId parameter is a URL-encoded '?' used to inject query parameters into the traversed path, bypassing endpoint restrictions.
- ·The Snort rule (sid:2066456) requires TLS decryption to be effective, as indicated by the deployment metadata; without SSL inspection, encrypted traffic will not be inspected.
- ·The exploit is read-only (crafted GET requests only); no write/modify capability is indicated, but sensitive data such as API keys and admin user UUIDs/emails can be exfiltrated. ↗
- ·The Nuclei template uses a flow of http(1) OR http(2), meaning either of the two request variants independently confirms exploitation; both target different restricted API endpoints.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6489-j79m-95x8: Omnissa Workspace ONE UEM contains a Secondary Context Path Traversal Vulnerability
ghsa_unreviewed·2025-08-11
CVE-2025-25231 [HIGH] CWE-22 GHSA-6489-j79m-95x8: Omnissa Workspace ONE UEM contains a Secondary Context Path Traversal Vulnerability
Omnissa Workspace ONE UEM contains a Secondary Context Path Traversal Vulnerability. A malicious actor may be able to gain access to sensitive information by sending crafted GET requests (read-only) to restricted API endpoints.
VulnCheck
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2025·CVSS 7.5
CVE-2025-25231 [HIGH] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Omnissa Workspace ONE UEM contains a Secondary Context Path Traversal Vulnerability. A malicious actor may be able to gain access to sensitive information by sending crafted GET requests (read-only) to restricted API endpoints.
Affected: Omnissa Omnissa Workspace ONE UEM
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://moje.cert.pl/komunikaty/2025/29/aktywnie-wykorzystywana-krytyczna-podatnosc-w-narzedziu-omnissa-workspace-one-uem-airwatch-mdm/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-12-28&host_type=src&vulnerability=cve-2025-2
Suricata
ET WEB_SPECIFIC_APPS Omnissa Workspace One Path Traversal (CVE-2025-25231)
suricata·2025-12-24·CVSS 7.5
CVE-2025-25231 [HIGH] ET WEB_SPECIFIC_APPS Omnissa Workspace One Path Traversal (CVE-2025-25231)
ET WEB_SPECIFIC_APPS Omnissa Workspace One Path Traversal (CVE-2025-25231)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Omnissa Workspace One Path Traversal (CVE-2025-25231)"; flow:established,to_server; http.uri; content:"/DevicesGateway/apps/system-app-metadata/"; fast_pattern; startswith; content:"packageId|3d|"; pcre:"/^[^&]*?(?:(?:\x2e|%(?:25)?2[Ee]){1,2}(?:\x2f|\x5c|%(?:25)?5[Cc]|%(?:25)?2[Ff]){1,}){2,}/R"; reference:url,www.picussecurity.com/resource/blog/omnissa-workspace-one-cve-2025-25231-path-traversal-exploit; reference:cve,2025-25231; classtype:web-application-attack; sid:2066456; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_12_24, cve CVE_2025_25231, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confi
Nuclei
Omnissa Workspace ONE UEM - Path Traversal
nuclei·CVSS 7.5
CVE-2025-25231 [HIGH] Omnissa Workspace ONE UEM - Path Traversal
Omnissa Workspace ONE UEM - Path Traversal
Omnissa Workspace ONE UEM contains a path traversal caused by crafted GET requests to restricted API endpoints, letting malicious actors access sensitive information, exploit requires sending crafted requests.
Template:
id: CVE-2025-25231
info:
name: Omnissa Workspace ONE UEM - Path Traversal
author: DhiyaneshDK,slcyber
severity: high
description: |
Omnissa Workspace ONE UEM contains a path traversal caused by crafted GET requests to restricted API endpoints, letting malicious actors access sensitive information, exploit requires sending crafted requests.
impact: |
Malicious actors can access sensitive information by exploiting path traversal in API endpoints.
remediation: |
Update to the latest version.
reference:
- https://slcyber.io/assetno
No writeups or analysis indexed.
2025-08-11
Published
Exploited in the wild