CVE-2025-49831
Published: 15 July 2025
Summary
CVE-2025-49831 is a critical-severity Improper Authentication (CWE-287) vulnerability in Cyberark Conjur. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 37.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the software flaw in CyberArk Secrets Manager Self-Hosted and Conjur OSS that enables rerouting of authentication requests to AWS by applying vendor-released patches in versions 13.5.1, 13.6.1, and 1.22.1.
Prevents the exploitation prerequisite of traffic routing through misconfigured network devices by establishing, implementing, and verifying secure configuration settings for network components.
Mitigates rerouting of authentication requests by monitoring and controlling communications at external and internal network boundaries to block unauthorized traffic flows to malicious servers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables rerouting of authentication traffic to attacker-controlled server via network path manipulation, directly facilitating Adversary-in-the-Middle (T1557).
NVD Description
An attacker of Secrets Manager, Self-Hosted installations that route traffic from Secrets Manager to AWS through a misconfigured network device can reroute authentication requests to a malicious server under the attacker’s control. CyberArk believes there to be very few installations…
more
where this issue can be actively exploited, though Secrets Manager, Self-Hosted (formerly Conjur Enterprise) prior to versions 13.5.1 and 13.6.1 and Conjur OSS prior to version 1.22.1 may be affected. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue.
Deeper analysisAI
CVE-2025-49831 (CWE-287) affects CyberArk Secrets Manager, Self-Hosted (formerly Conjur Enterprise) versions prior to 13.5.1 and 13.6.1, as well as Conjur OSS prior to version 1.22.1. The vulnerability arises in self-hosted installations where traffic from Secrets Manager to AWS is routed through a misconfigured network device, enabling an attacker to reroute authentication requests to a server under their control. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to high impacts on confidentiality, integrity, and availability.
Exploitation requires an attacker to target self-hosted installations with the specific misconfigured network routing to AWS services. A network-adjacent or positioned attacker capable of manipulating this traffic can redirect authentication requests, potentially allowing full compromise of secrets management authentication flows. CyberArk assesses that very few installations meet the conditions for active exploitation.
Patches address the issue in Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1. Security practitioners should upgrade immediately, with further details available in the CyberArk GitHub security advisory (GHSA-952q-mjrf-wp5j) and release notes. Additional discussion appears in oss-security mailing list announcements.
Details
- CWE(s)