Broadcom Symantec Privileged Access Management vulnerabilities

CVE-2025-24503 [CRITICAL] CWE-384 CVE-2025-24503: A malicious actor can fix the session of a PAM user by tricking the user to click on a specially cra A malicious actor can fix the session of a PAM user by tricking the user to click on a specially crafted link to the PAM server.

CVE-2025-24500 [HIGH] CWE-863 CVE-2025-24500: The vulnerability allows an unauthenticated attacker to access information in PAM database. The vulnerability allows an unauthenticated attacker to access information in PAM database.

CVE-2025-24507 [HIGH] CVE-2025-24507: This vulnerability allows appliance compromise at boot time. This vulnerability allows appliance compromise at boot time.

CVE-2025-24505 [HIGH] CWE-434 CVE-2025-24505: This vulnerability allows a high-privileged authenticated PAM user to achieve remote command executi This vulnerability allows a high-privileged authenticated PAM user to achieve remote command execution on the affected PAM system by uploading a specially crafted upgrade file.

CVE-2025-24501 [MEDIUM] CWE-20 CVE-2025-24501: An improper input validation allows an unauthenticated attacker to alter PAM logs by sending a speci An improper input validation allows an unauthenticated attacker to alter PAM logs by sending a specially crafted HTTP request.

CVE-2025-24506 [MEDIUM] CWE-203 CVE-2025-24506: A specific authentication strategy allows to learn ids of PAM users associated with certain authenti A specific authentication strategy allows to learn ids of PAM users associated with certain authentication types.

CVE-2025-24502 [MEDIUM] CWE-384 CVE-2025-24502: An improper session validation allows an unauthenticated attacker to cause certain request notificat An improper session validation allows an unauthenticated attacker to cause certain request notifications to be executed in the context of an incorrect user by spoofing the client IP address.

CVE-2025-24504 [MEDIUM] CWE-20 CVE-2025-24504: An improper input validation the CSRF filter results in unsanitized user input written to the applic An improper input validation the CSRF filter results in unsanitized user input written to the application logs.

CVE-2024-36455 [CRITICAL] CWE-665 CVE-2024-36455: An improper input validation allows an unauthenticated attacker to achieve remote command execution An improper input validation allows an unauthenticated attacker to achieve remote command execution on the affected PAM system by sending a specially crafted HTTP request.

CVE-2024-36456 [CRITICAL] CWE-94 CVE-2024-36456: This vulnerability allows an unauthenticated attacker to achieve remote command execution on the aff This vulnerability allows an unauthenticated attacker to achieve remote command execution on the affected PAM system by uploading a specially crafted PAM upgrade file.

CVE-2024-38492 [CRITICAL] CWE-77 CVE-2024-38492: This vulnerability allows an unauthenticated attacker to achieve remote command execution on the aff This vulnerability allows an unauthenticated attacker to achieve remote command execution on the affected PAM system by uploading a specially crafted PAM upgrade file.

CVE-2024-38491 [HIGH] CVE-2024-38491: The vulnerability allows an unauthenticated attacker to read arbitrary information from the database The vulnerability allows an unauthenticated attacker to read arbitrary information from the database.

CVE-2024-38494 [HIGH] CWE-444 CVE-2024-38494: This vulnerability allows a high-privileged authenticated PAM user to achieve remote command executi This vulnerability allows a high-privileged authenticated PAM user to achieve remote command execution on the affected PAM system by sending a specially crafted HTTP request.

CVE-2024-36458 [MEDIUM] CWE-918 CVE-2024-36458: The vulnerability allows a malicious low-privileged PAM user to perform server upgrade related actio The vulnerability allows a malicious low-privileged PAM user to perform server upgrade related actions.

CVE-2024-38493 [MEDIUM] CWE-79 CVE-2024-38493: A reflected cross-site scripting (XSS) vulnerability exists in the PAM UI web interface. A remote at A reflected cross-site scripting (XSS) vulnerability exists in the PAM UI web interface. A remote attacker able to convince a PAM user to click on a specially crafted link to the PAM UI web interface could potentially execute arbitrary client-side code in the context of PAM UI.

CVE-2024-38495 [MEDIUM] CVE-2024-38495: A specific authentication strategy allows a malicious attacker to learn ids of all PAM users defined A specific authentication strategy allows a malicious attacker to learn ids of all PAM users defined in its database.

CVE-2024-38496 [MEDIUM] CWE-922 CVE-2024-38496: The vulnerability allows a malicious low-privileged PAM user to access information about other PAM u The vulnerability allows a malicious low-privileged PAM user to access information about other PAM users and their group memberships.

CVE-2024-36457 [MEDIUM] CWE-306 CVE-2024-36457: The vulnerability allows an attacker to bypass the authentication requirements for a specific PAM en The vulnerability allows an attacker to bypass the authentication requirements for a specific PAM endpoint.

CVE-2022-25625 [HIGH] CVE-2022-25625: A malicious unauthorized PAM user can access the administration configuration data and change the va A malicious unauthorized PAM user can access the administration configuration data and change the values.