CVE-2025-0509

High

Published: 04 February 2025

Published

04 February 2025

Modified

05 August 2025

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0007 21.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0509 is a high-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Netapp Hci Compute Node. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked at the 21.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Compromise Software Supply Chain (T1195.002) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

CM-14 Signed Components good match

prevent

Mandates digital signature verification for software components prior to installation or execution, directly preventing the CVE's bypass of Sparkle's (Ed)DSA signing checks during updates.

SI-2 Flaw Remediation good match

prevent

Requires timely flaw remediation including updates to Sparkle version 2.6.4 or later, eliminating the specific vulnerability enabling signed update replacement.

SI-7 Software, Firmware, and Information Integrity partial match

detect

Monitors software integrity using cryptographic mechanisms to detect unauthorized changes or tampered payloads substituted during the update process.

MITRE ATT&CK Enterprise TechniquesAI

T1195.002 Compromise Software Supply Chain Initial Access

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.

attack.mitre.org →

T1072 Software Deployment Tools Execution

Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network.

attack.mitre.org →

Why these techniques?

Vulnerability in Sparkle update framework directly enables tampering with signed updates (bypassing EdDSA verification) to deliver malicious payloads, facilitating supply chain compromise via software deployment tooling.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks.

Deeper analysisAI

CVE-2025-0509 is a security vulnerability affecting Sparkle versions prior to 2.6.4, an open-source software update framework commonly used for macOS applications. The flaw enables an attacker to replace an existing signed update with a malicious payload, bypassing Sparkle's (Ed)DSA signing verification checks. Classified under CWE-552 (Files or Directories Accessible to External Parties), it carries a CVSS v3.1 base score of 7.3 (AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H) and was published on 2025-02-04.

Exploitation requires an adjacent network position, high attack complexity, elevated privileges on the target system, and user interaction, such as a user approving a tampered update. A successful attack can result in high impacts to confidentiality, integrity, and availability across the affected component's scope, potentially allowing arbitrary code execution or full system compromise through the substituted payload.

Mitigation is achieved by updating to Sparkle version 2.6.4 or later. Key resources include the fixing pull request at https://github.com/sparkle-project/Sparkle/pull/2550, Sparkle's security and reliability documentation at https://sparkle-project.org/documentation/security-and-reliability/, and the NetApp advisory NTAP-20250124-0008 at https://security.netapp.com/advisory/ntap-20250124-0008/.

Details

CWE(s): CWE-552

Affected Products

sparkle-project

sparkle

≤ 2.6.4

netapp

hci compute node

all versions

netapp

oncommand workflow automation

all versions

CVEs Like This One

CVE-2025-27423Same product: Netapp Hci Compute Node

CVE-2024-48864Same product class: NAS / storage appliance

CVE-2025-26512Same product class: NAS / storage appliance

CVE-2025-24813Same product: Netapp Hci Compute Node

CVE-2024-56171Same product: Netapp Hci Compute Node

CVE-2025-24928Same product: Netapp Hci Compute Node

CVE-2024-54085Same product class: NAS / storage appliance

CVE-2025-1736Same product class: NAS / storage appliance

CVE-2025-1861Same product class: NAS / storage appliance

CVE-2025-0411Same product class: NAS / storage appliance

References

https://github.com/sparkle-project/Sparkle/pull/2550
Issue Tracking, Patch · patrick@puiterwijk.org
https://sparkle-project.org/documentation/security-and-reliability/
Patch · patrick@puiterwijk.org
https://security.netapp.com/advisory/ntap-20250124-0008/
Vendor Advisory · af854a3a-2127-422b-91ae-364da2661108