cbcvebase.
CVE-2025-58443
published 2025-09-06

CVE-2025-58443: FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Versions 1.5.10.1673 and below contain an authentication bypass…

PriorityP190critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
17.65%
96.8th percentile
FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Versions 1.5.10.1673 and below contain an authentication bypass vulnerability. It is possible for an attacker to perform an unauthenticated DB dump where they could pull a full SQL DB without credentials. A fix is expected to be released 9/15/2025. To address this vulnerability immediately, upgrade to the latest version of either the dev-branch or working-1.6 branch. This will patch the issue for users concerned about immediate exposure. See the FOG Project documentation for step-by-step upgrade instructions: https://docs.fogproject.org/en/latest/install-fog-server#choosing-a-fog-version.

Affected

1 ranges
VendorProductVersion rangeFixed in
fogprojectfogproject<= 1.5.10.1673

Detection & IOCsextracted from sources · hover to see the quote

url/fog/management/index.php?node=about&sub=kernel
url/fog/service/getversion.php
othericon_hash=-1952619005
otherhttp.favicon.hash:-1952619005
  • Unauthenticated GET request to /fog/management/index.php?node=about&sub=kernel returning HTTP 200 with body matching regex '(?is)FOG.*Configuration.*(?:Kernel|bzImage)' indicates successful authentication bypass.
  • Unauthenticated GET request to /fog/service/getversion.php with an out-of-band callback URL parameter triggering a DNS interaction indicates SSRF/auth-bypass exploitation.
  • Monitor for unauthenticated access to FOGProject management endpoints; presence of 'FOG' in the response body with HTTP 200 on the base URL confirms a FOGProject instance is exposed.
  • Unauthenticated SQL DB dump is possible against FOGProject <= 1.5.10.1673; monitor for unexpected full SQL database export requests from unauthenticated sessions.
  • ·The vulnerability affects FOGProject versions 1.5.10.1673 and below only; instances already upgraded to dev-branch or working-1.6 branch are not affected.
  • ·The Nuclei template uses a two-step flow (http(1) && http(2)); the first request confirms a FOGProject instance is present before attempting the bypass, reducing false positives.
  • ·Detection via /fog/service/getversion.php requires an out-of-band DNS callback (interactsh); environments without OOB infrastructure should rely solely on the kernel page regex matcher.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.09.9CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.