Improper Access control in CCN-CERT microCLAUDIA
- microCLAUDIA, v3.2.0 or prior.
INCIBE has coordinated the publication of a high severity vulnerability affecting microCLAUDIA by CCN-CERT, a system based on the CLAUDIA engine that provides protection against ransomware-type malicious code for the computers of an organization. The vulnerability was discovered by Alejandro Vázquez Vázquez.
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:
- CVE-2025-41090: CVSS v4.0: 7.6 | CVSS AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N | CWE-284
The vulnerability has been fixed by CCN-CERT team in 2024 in version 3.2.2
CVE-2025-41090: microCLAUDIA in v3.2.0 and prior has an improper access control vulnerability.
This flaw allows an authenticated user to perform unauthorized actions on other organizations' systems by sending direct API requests. To do so, the attacker can use organization identifiers obtained through a compromised endpoint or deduced manually.
This vulnerability allows access between tenants, enabling an attacker to list and manage remote assets, uninstall agents, and even delete vaccines configurations.
