Cyber Resilience

CVE-2025-49831

Critical

Published: 15 July 2025

Published
15 July 2025
Modified
04 November 2025
KEV Added
Patch
CVSS Score v4 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0051 66.7th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-49831 is a critical-severity Improper Authentication (CWE-287) vulnerability in Cyberark Conjur. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked in the top 33.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-49831 (CWE-287) affects CyberArk Secrets Manager, Self-Hosted (formerly Conjur Enterprise) versions prior to 13.5.1 and 13.6.1, as well as Conjur OSS prior to version 1.22.1. The vulnerability arises in self-hosted installations where traffic from Secrets Manager to AWS is routed through a misconfigured network device, enabling an attacker to reroute authentication requests to a server under their control. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to high impacts on confidentiality, integrity, and availability.

Exploitation requires an attacker to target self-hosted installations with the specific misconfigured network routing to AWS services. A network-adjacent or positioned attacker capable of manipulating this traffic can redirect authentication requests, potentially allowing full compromise of secrets management authentication flows. CyberArk assesses that very few installations meet the conditions for active exploitation.

Patches address the issue in Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1. Security practitioners should upgrade immediately, with further details available in the CyberArk GitHub security advisory (GHSA-952q-mjrf-wp5j) and release notes. Additional discussion appears in oss-security mailing list announcements.

EU & UK References

Vulnerability details

An attacker of Secrets Manager, Self-Hosted installations that route traffic from Secrets Manager to AWS through a misconfigured network device can reroute authentication requests to a malicious server under the attacker’s control. CyberArk believes there to be very few installations…

more

where this issue can be actively exploited, though Secrets Manager, Self-Hosted (formerly Conjur Enterprise) prior to versions 13.5.1 and 13.6.1 and Conjur OSS prior to version 1.22.1 may be affected. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

CVE enables rerouting of authentication traffic to attacker-controlled server via network path manipulation, directly facilitating Adversary-in-the-Middle (T1557).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-49828Same product: Cyberark Conjur
CVE-2025-49827Same product: Cyberark Conjur
CVE-2025-66374Same vendor: Cyberark
CVE-2026-2914Same vendor: Cyberark
CVE-2024-11322Shared CWE-287
CVE-2025-71279Shared CWE-287
CVE-2024-13804Shared CWE-287
CVE-2025-56752Shared CWE-287
CVE-2024-57046Shared CWE-287
CVE-2026-2991Shared CWE-287

Affected Assets

cyberark
conjur
13.6 · ≤ 1.22.1 · ≤ 13.5.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the software flaw in CyberArk Secrets Manager Self-Hosted and Conjur OSS that enables rerouting of authentication requests to AWS by applying vendor-released patches in versions 13.5.1, 13.6.1, and 1.22.1.

prevent

Prevents the exploitation prerequisite of traffic routing through misconfigured network devices by establishing, implementing, and verifying secure configuration settings for network components.

preventdetect

Mitigates rerouting of authentication requests by monitoring and controlling communications at external and internal network boundaries to block unauthorized traffic flows to malicious servers.

References