1. EXECUTIVE SUMMARY
- CVSS v4 5.9
- ATTENTION: Exploitable remotely/Low attack complexity
- Vendor: ABUP
- Equipment: ABUP Internet of Things (IoT) Cloud Platform
- Vulnerability: Incorrect Privilege Assignment
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to access device profiles for which they are not authorized.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following ABUP products are affected:
- ABUP IoT Cloud Platform: All Versions
3.2 VULNERABILITY OVERVIEW
3.2.1 INCORRECT PRIVILEGE ASSIGNMENT CWE-266
Actors can use a maliciously crafted JavaScript Object Notation (JSON) Web Token (JWT) to perform privilege escalation by submitting the malicious JWT to a vulnerable method exposed on the cloud platform. If the exploit is successful, the user can escalate privileges to access any device managed by the Cloud Update Platform.
CVE-2025-4692 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L).
A CVSS v4 score has also been calculated for CVE-2025-4692. A base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Communications
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION:
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from All CISA AdvisoriesRead the original article: