cbcvebase.
CVE-2025-32815
published 2025-05-22

CVE-2025-32815: An issue was discovered in Infoblox NETMRI before 7.6.1. Authentication Bypass via a Hardcoded credential can occur.

PriorityP180medium6.5CVSS 3.1
AVNACHPRNUINSUCHILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
35.04%
98.2th percentile
An issue was discovered in Infoblox NETMRI before 7.6.1. Authentication Bypass via a Hardcoded credential can occur.

Affected

4 ranges
VendorProductVersion rangeFixed in
infobloxnetmri< 7.6.17.6.1
msrccbl2_exiv2_0.27.5-1_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64

Detection & IOCsextracted from sources · hover to see the quote

url/netmri/common/SetRawCookie.tdf?name=letmein&value=%78%79%7a%0d%0a%55%73%65%72%4e%61%6d%65%3d%61%64%6d%69%6e
otherBasic X3BtOnBtMTk3MjY=
path/netmri/common/SetRawCookie.tdf
cookieSkipjack-
othericon_hash=-319724102
snort
alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Infoblox NetMRI SetRawCookie.tdf Process Manager Hard-Coded Credentials Authentication Bypass Attempt (CVE-2025-32815)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/netmri/common/SetRawCookie.tdf|3f|"; fast_pattern; startswith; http.header; content:"Authorization|3a 20|Basic|20|X3BtOnBtMTk3MjY|3d|"; reference:url,rhinosecuritylabs.com/research/infoblox-multiple-cves/; reference:cve,2025-32815; classtype:attempted-admin; sid:2062743; rev:1; metadata:affected_product Infoblox, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2025_06_04, cve CVE_2025_32815, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_06_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit chain: Step 1 — attacker sends GET to /netmri/common/SetRawCookie.tdf with hardcoded Basic auth header (X3BtOnBtMTk3MjY=) to set a session cookie; Step 2 — attacker reads /etc/shadow via /visual/ViewerFileServlet?fileName=/etc/shadow using the established session.
  • Network detection: alert on HTTP GET requests to URI starting with /netmri/common/SetRawCookie.tdf? combined with Authorization header containing the hardcoded Base64 credential 'X3BtOnBtMTk3MjY=' (ET SID 2062743).
  • FOFA fingerprinting: Infoblox NetMRI instances can be identified on the internet using icon_hash=-319724102 for pre-exploitation reconnaissance.
  • ·The Snort/Suricata rule (ET SID 2062743) requires TLS decryption to be effective, as the metadata explicitly flags tls_state TLSDecrypt — without TLS inspection the hardcoded Authorization header will not be visible in cleartext.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
vulncheck6.5MEDIUM
vendor_msrc5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.