DIVD-2024-00043 - CyberAudit-Web - SSRF and Authentication bypass CVEs Registered
| Our reference | DIVD-2024-00043 |
| Case lead | Max van der Horst |
| Researcher(s) | |
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Install the patched version of CyberAudit-Web |
| Patch status | Released |
| Workaround | No workaround available |
| Status | Open |
| Last modified | 13 Apr 2025 16:31 CEST |
Summary
CyberAudit-Web is a software suite for the CyberLock system, an electronic lock. Researchers of DIVD have found two vulnerabilities in the CyberAudit-Web suite, potentially allowing malicious actors to compromise CyberAudit-Web installations and the locks associated with it.
The two vulnerabilities include a Server-Side Request Forgery vulnerability in older versions of the videx-legacy-ssl web service and an Authentication Bypass in CyberAudit-Web versions before 9.8.11, which are End-of-Maintance (EOM). Acknowledging the severity, Videx has made a patch available for both customers with and without support contract.
Recommendations
Install the Videx-provided security patch on your system as soon as possible.
What we are doing
DIVD is currently working to identify parties that are running a vulnerable version of CyberAudit-Web and to notify these parties. We do this by verifying the presence of the vulnerability in a harmless manner and collect the software version number if possible.
Timeline
| Date | Description |
|---|---|
| 22 Oct 2024 | Vulnerabilities disclosed to DIVD. |
| 22 Oct 2024 | DIVD starts researching the vulnerability and finds fingerprint. |
|
09 Nov 2024- 13 Nov 2024 |
Time to acknowledge. |
|
09 Nov 2024- 19 Nov 2024 |
Time to patch. |
| 26 Feb 2025 | CVEs published. |