Full Report
View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: GMOD Equipment: Apollo Vulnerabilities: Incorrect Privilege Assignment, Relative Path Traversal, Missing Authentication for Critical Function, Generation of Error Message Containing Sensitive Information 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to escalate privileges, bypass authentication, upload malicious files, or disclose sensitive information. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following GMOD products are affected: Apollo: All versions prior to 2.8.0 3.2 VULNERABILITY OVERVIEW 3.2.1 Incorrect Privilege Assignment CWE-266 The product does not have sufficient logical or access checks when updating a user's information. This could result in an attacker being able to escalate privileges for themselves or others. CVE-2025-21092 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N). A CVSS v4 score has also been calculated for CVE-2025-21092. A base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N). 3.2.2 Relative Path Traversal CWE-23 When uploading organism or sequence data via the web interface, the application will unzip and inspect the files and will not check for path traversal in supported archive types. CVE-2025-23410 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). A CVSS v4 score has also been calculated for CVE-2025-23410. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N). 3.2.3 Missing Authentication for Critical Function CWE-306 Certain functionality within GMOD Apollo does not require authentication when passed with an administrative username CVE-2025-24924 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N). A CVSS v4 score has also been calculated for CVE-2025-24924. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N). 3.2.4 Generation of Error Message Containing Sensitive Information CWE-209 After attempting to upload a file that does not meet pre-requisites, GMOD Apollo will respond with local path information disclosure CVE-2025-20002 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). A CVSS v4 score has also been calculated for CVE-2025-20002. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Food and Agriculture, Government Services and Facilities, Healthcare and Public Health COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER CISA reported these vulnerabilities to GMOD. 4. MITIGATIONS GMOD recommends users to update to the newest Version 2.8.0. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as: Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploitation specifically targeting these vulnerabilities have been reported to CISA at this time. 5. UPDATE HISTORY March 4, 2025: Initial Publication
Analysis Summary
# Vulnerability: Multiple Flaws in GMOD Apollo Allowing Privilege Escalation, File Upload, and Information Disclosure
## CVE Details
- **CVE ID:** CVE-2025-21092, CVE-2025-23410, CVE-2025-24924, CVE-2025-20002
- **CVSS Score:**
- CVE-2025-21092: 7.1 (High) (CVSS v4)
- CVE-2025-23410: 9.3 (Critical) (CVSS v4)
- CVE-2025-24924: 9.3 (Critical) (CVSS v4)
- CVE-2025-20002: 6.9 (Medium) (CVSS v4)
- **CWE:** Incorrect Privilege Assignment, Relative Path Traversal, Missing Authentication for Critical Function, Generation of Error Message Containing Sensitive Information (Implied by descriptions)
## Affected Systems
- **Products:** GMOD Apollo
- **Versions:** All versions prior to 2.8.0
- **Configurations:** Affects the web interface, specifically when updating user information and uploading organism/sequence data.
## Vulnerability Description
Multiple vulnerabilities exist in GMOD Apollo:
1. **Incorrect Privilege Assignment (CVE-2025-21092):** Insufficient logical or access checks allow a lower-privileged attacker to escalate privileges for themselves or others when updating user information.
2. **Relative Path Traversal (CVE-2025-23410):** When unzipping uploaded organism or sequence data, the application fails to check for path traversal within supported archive types, potentially allowing arbitrary file access or upload outside intended directories.
3. **Missing Authentication (CVE-2025-24924):** Certain administrative functions do not require proper authentication when making requests using an administrative username, allowing unauthenticated access to critical operations (assuming the attacker can bypass other authentication or knows an admin username).
4. **Information Disclosure (CVE-2025-20002):** The system discloses local path information in error messages when an attempted file upload fails prerequisites.
## Exploitation
- **Status:** No known public exploitation specifically targeting these vulnerabilities have been reported to CISA at this time.
- **Complexity:** Low (Implied by "low attack complexity" note and network attack vectors for multiple CVEs).
- **Attack Vector:** Network (for all identified CVEs)
## Impact
Successful exploitation across these flaws could lead to: privilege escalation, unauthorized file upload/system takeover, bypassing authentication controls, and disclosure of sensitive system path information.
- **Confidentiality:** High (Path disclosure and potential unauthorized access)
- **Integrity:** High (Privilege escalation, file manipulation via path traversal)
- **Availability:** High (If exploitation leads to denial of service via file upload issues)
## Remediation
### Patches
- **Patch Version:** Update to GMOD Apollo version **2.8.0** or later.
### Workarounds
General defensive measures recommended by CISA:
* Minimize network exposure for all control system devices/systems.
* Ensure systems are **not accessible from the Internet**.
* Locate control system networks behind firewalls and isolate them from business networks.
* Use secure methods like Virtual Private Networks (VPNs) for required remote access, ensuring VPNs are also up-to-date.
## Detection
- **Indicators of Compromise:** Look for unusual user privilege changes, unexpected file operations during data upload, or application error logs showing detailed path strings following failed file submissions.
- **Detection methods and tools:** Monitor network traffic for unauthenticated requests targeting administrative API endpoints or file upload functions in Apollo. Standard web application scanning tools should be utilized post-patch to confirm remediation.
## References
- [View CSAF](https://github[dot]com/cisagov/CSAF)