CVE-2025-49828
Published: 15 July 2025
Summary
CVE-2025-49828 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Cyberark Conjur. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through patching to Conjur OSS 1.21.2 or Secrets Manager 13.5 directly corrects the exposed API endpoint that enables RCE from injected secrets or templates.
Information input validation on the API endpoint and database injections sanitizes or rejects malicious secrets/templates, preventing arbitrary Ruby code execution.
Least privilege restricts authenticated users' ability to inject secrets or templates into the database, reducing the attack surface for exploiting the vulnerable API endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via exposed API in public-facing secrets management application (Conjur).
NVD Description
Conjur provides secrets management and application identity for infrastructure. Conjur OSS versions 1.19.5 through 1.21.1 and Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) 13.1 through 13.4.1 are vulnerable to remote code execution An authenticated attacker who can inject secrets…
more
or templates into the Secrets Manager, Self-Hosted database could take advantage of an exposed API endpoint to execute arbitrary Ruby code within the Secrets Manager process. This issue affects both Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS. Conjur OSS version 1.21.2 and Secrets Manager, Self-Hosted version 13.5 fix the issue.
Deeper analysisAI
CVE-2025-49828 is a remote code execution vulnerability (CWE-1336) affecting Conjur OSS versions 1.19.5 through 1.21.1 and Secrets Manager, Self-Hosted (formerly Conjur Enterprise) versions 13.1 through 13.4.1. Conjur provides secrets management and application identity for infrastructure. The flaw stems from an exposed API endpoint that allows an authenticated attacker who can inject secrets or templates into the Secrets Manager, Self-Hosted database to execute arbitrary Ruby code within the Secrets Manager process. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated attacker with the ability to inject secrets or templates into the database can exploit this remotely over the network with low complexity and no user interaction. Successful exploitation grants high-impact remote code execution within the Secrets Manager process, potentially leading to full compromise of the affected Conjur instance, including confidentiality, integrity, and availability violations.
Advisories recommend upgrading to Conjur OSS version 1.21.2 or Secrets Manager, Self-Hosted version 13.5, which fix the issue. Relevant resources include the CyberArk Conjur GitHub release notes at https://github.com/cyberark/conjur/releases/tag/v1.21.2 and security advisory at https://github.com/cyberark/conjur/security/advisories/GHSA-93hx-v9pv-qrm4, along with oss-security mailing list discussions.
Details
- CWE(s)