Symantec PAM Patches Critical Security Flaw - CVE-2025-24503 (CVSSv4 9.3)

Symantec has released version 4.2.1 of its Privileged Access Manager (PAM) to address multiple security vulnerabilities, including those that could allow for remote code execution and session hijacking.

Symantec PAM is a solution designed to manage and protect privileged accounts. The latest release addresses eight vulnerabilities that could be exploited by attackers to gain unauthorized access to sensitive information or take control of affected systems.

The vulnerabilities addressed in Symantec PAM 4.2.1 include:

CVE-2025-24500 (CVSSv4 8.7): A SQL injection vulnerability that could allow an unauthenticated attacker to access information in the PAM database.
CVE-2025-24501 (CVSSv4 5.3): An input validation bypass vulnerability that could allow an unauthenticated attacker to alter PAM logs.
CVE-2025-24502 (CVSSv4 5.3): A session hijacking vulnerability that could allow an unauthenticated attacker to execute request notifications in the context of an incorrect user.
CVE-2025-24503 (CVSSv4 9.3): A cross-site request forgery (CSRF) vulnerability that could allow an attacker to hijack a PAM user’s session.
CVE-2025-24504 (CVSSv4 5.3): An unsanitized user input vulnerability that could result in unsanitized input being written to application logs.
CVE-2025-24505 (CVSSv4 8.8): A remote code execution vulnerability that could allow a high-privileged authenticated PAM user to execute commands on the affected system.
CVE-2025-24506 (CVSSv4 5.3): An information harvesting vulnerability that could allow an attacker to learn the IDs of PAM users.
CVE-2025-24507 (CVSSv4 8.9): An OS command injection vulnerability that could allow an attacker to compromise the appliance at boot time.

Symantec PAM users are urged to update to version 4.2.1 as soon as possible to mitigate the risk of these vulnerabilities being exploited.

Rate this post

Leave a Reply Cancel reply

Website

Related Posts:

Leave a Reply Cancel reply