Ddos 
Image: Rapid7
Security researchers at Rapid7 have uncovered four serious vulnerabilities in Securden Unified Privileged Access Manager (PAM), a widely used solution for managing administrative credentials and privileged sessions. The flaws include authentication bypass, unrestricted file uploads, path traversal, and insecure cloud gateway infrastructure, all of which could allow attackers to compromise credentials or execute arbitrary commands on affected servers.
According to Rapid7, “three vulnerabilities were identified that allow an attacker to bypass authentication and view stored passwords or execute system commands on the server. The fourth identified vulnerability allows a malicious actor to access Securden’s gateway portal with low privileges, which could potentially be leveraged to exploit other customers running Securden Unified PAM.”
Rapid7 detailed the following issues affecting versions 9.0.x through 11.3.1:
- CVE-2025-53118 – Authentication Bypass (CVSS 9.4)
Attackers can exploit the /thirdparty-access endpoint to obtain cookies and tokens without authentication. As Rapid7 explains, “an unauthenticated attacker [can] control administrator backup functions, leading to compromise of passwords, secrets, and application session tokens stored by the Unified PAM.” - CVE-2025-53119 – Unauthenticated Unrestricted File Upload (CVSS 7.5)
Insufficient filetype validation allows arbitrary files, including malicious scripts, to be uploaded to the server without authentication. - CVE-2025-53120 – Path Traversal in File Upload (CVSS 9.4)
By manipulating file paths, attackers can overwrite critical files such as scheduled batch scripts. Rapid7 demonstrated replacing postgresBackup.bat with a reverse shell payload: “On backup, the application server runs the batch script containing the PowerShell reverse shell, and the attacker can run privileged OS commands on the PAM server.” - CVE-2025-6737 – Shared SSH Key and Cloud Infrastructure (CVSS 7.2)
Rapid7 found that Securden’s Vendor Access Portal shared infrastructure across tenants, exposing instances to cross-customer attacks. “A malicious actor can obtain authentication material and access the gateway server with low-privilege permissions.”
The vulnerabilities pose significant risks for organizations:
- Theft of encrypted password backups, secrets, and active session cookies.
- Remote code execution (RCE) via malicious file uploads and path traversal.
- Potential cross-tenant exploitation of Securden’s Vendor Access Portal.
Rapid7 emphasized the real-world danger: “While an attacker can leverage any of the disclosed vulnerabilities to achieve unauthenticated remote code execution, an attack performed from an authenticated context would not require the authentication bypass to gain code execution capabilities.”
Securden collaborated with Rapid7 and released version 11.4.4 to remediate all four issues. In a statement, Securden CEO Bala Venkatramani assured customers: “These vulnerabilities have been addressed in version 11.4.4 of Securden Unified PAM. At Securden, customer security is our top priority. We actively collaborate with esteemed researchers like Rapid7 to swiftly identify and remediate vulnerabilities.”
Related Posts:
- How Attackers Exploit PAM’s Modular Design on Linux
- Broadcom Urges Immediate Patching for Critical Symantec PAM Vulnerabilities
- Kimsuky APT: New TTPs Revealed in Rapid7 Cybersecurity Report
- Symantec PAM Patches Critical Security Flaw – CVE-2025-24503 (CVSSv4 9.3)
- BlackSuit Affiliates Continue Social Engineering Attacks with Upgraded Java RAT and Cloud Abuse
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
