CVE-2025-58443
published 2025-09-06CVE-2025-58443: FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Versions 1.5.10.1673 and below contain an authentication bypass…
PriorityP190critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
17.65%
96.8th percentile
FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Versions 1.5.10.1673 and below contain an authentication bypass vulnerability. It is possible for an attacker to perform an unauthenticated DB dump where they could pull a full SQL DB without credentials. A fix is expected to be released 9/15/2025. To address this vulnerability immediately, upgrade to the latest version of either the dev-branch or working-1.6 branch. This will patch the issue for users concerned about immediate exposure. See the FOG Project documentation for step-by-step upgrade instructions: https://docs.fogproject.org/en/latest/install-fog-server#choosing-a-fog-version.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fogproject | fogproject | <= 1.5.10.1673 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Unauthenticated GET request to /fog/management/index.php?node=about&sub=kernel returning HTTP 200 with body matching regex '(?is)FOG.*Configuration.*(?:Kernel|bzImage)' indicates successful authentication bypass. ↗
- →Unauthenticated GET request to /fog/service/getversion.php with an out-of-band callback URL parameter triggering a DNS interaction indicates SSRF/auth-bypass exploitation. ↗
- →Monitor for unauthenticated access to FOGProject management endpoints; presence of 'FOG' in the response body with HTTP 200 on the base URL confirms a FOGProject instance is exposed. ↗
- →Unauthenticated SQL DB dump is possible against FOGProject <= 1.5.10.1673; monitor for unexpected full SQL database export requests from unauthenticated sessions. ↗
- ·The vulnerability affects FOGProject versions 1.5.10.1673 and below only; instances already upgraded to dev-branch or working-1.6 branch are not affected. ↗
- ·The Nuclei template uses a two-step flow (http(1) && http(2)); the first request confirms a FOGProject instance is present before attempting the bypass, reducing false positives. ↗
- ·Detection via /fog/service/getversion.php requires an out-of-band DNS callback (interactsh); environments without OOB infrastructure should rely solely on the kernel page regex matcher. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.09.9CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
FOGProject <= 1.5.10.1673 - Authentication Bypass
nuclei·CVSS 9.9
CVE-2025-58443 [CRITICAL] FOGProject <= 1.5.10.1673 - Authentication Bypass
FOGProject <= 1.5.10.1673 - Authentication Bypass
FOGProject version 1.5.10.1673 suffers from an authentication bypass vulnerability that allows unauthenticated users to access the management interface without proper authentication. This can lead to unauthorized access to system configuration, host management, and potentially database information.
Template:
id: CVE-2025-58443
info:
name: FOGProject <= 1.5.10.1673 - Authentication Bypass
author: oleveloper
severity: critical
description: |
FOGProject version 1.5.10.1673 suffers from an authentication bypass vulnerability that allows unauthenticated users to access the management interface without proper authentication. This can lead to unauthorized access to system configuration, host management, and potentially database information.
im
2025-09-06
Published
Exploited in the wild