CVE-2025-27702

CVE-2025-27702 is a vulnerability in the management console of Absolute Secure Access prior to version 13.54. Attackers with administrative access to the console and who have been assigned a certain set of permissions can bypass those permissions to improperly modify settings. The attack complexity is low, there are no preexisting attack requirements; the privileges required are high, and there is no user interaction required. There is no impact to system confidentiality or availability, impact to system integrity is high.

CVSS v3 4.9 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.absolute.com/platform/vulnerability-archive/cve-2025-27702	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:absolute:secure_access:*:*:*:*:*:*:*:*

History

04 Jun 2025, 15:37

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.9
References	~~() https://www.absolute.com/platform/vulnerability-archive/cve-2025-27702 -~~	() https://www.absolute.com/platform/vulnerability-archive/cve-2025-27702 - Vendor Advisory
First Time		Absolute secure Access Absolute
Summary		(es) CVE-2025-27702 es una vulnerabilidad en la consola de administración de Absolute Secure Access anterior a la versión 13.54. Los atacantes con acceso administrativo a la consola y con ciertos permisos asignados pueden eludirlos para modificar la configuración de forma indebida. La complejidad del ataque es baja, no existen requisitos previos; se requieren privilegios elevados y no se requiere interacción del usuario. No se ve afectada la confidencialidad ni la disponibilidad del sistema, pero sí la integridad del mismo.
CPE		cpe:2.3:a:absolute:secure_access::::::::

29 May 2025, 00:15

Type	Values Removed	Values Added
CWE		CWE-284

28 May 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-28 21:15

Updated : 2025-06-04 15:37

NVD link : CVE-2025-27702

Mitre link : CVE-2025-27702

CVE.ORG link : CVE-2025-27702

JSON object : View

Products Affected

absolute

secure_access

CWE

CWE-284

Improper Access Control

{"id": "CVE-2025-27702", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.2}], "cvssMetricV40": [{"type": "Secondary", "source": "SecurityResponse@netmotionsoftware.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-28T21:15:21.307", "references": [{"url": "https://www.absolute.com/platform/vulnerability-archive/cve-2025-27702", "tags": ["Vendor Advisory"], "source": "SecurityResponse@netmotionsoftware.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "CVE-2025-27702 is a vulnerability in the management console of Absolute \nSecure Access prior to version 13.54. Attackers with administrative \naccess to the console and who have been assigned a certain set of \npermissions can bypass those permissions to improperly modify settings. \nThe attack complexity is low, there are no preexisting attack \nrequirements; the privileges required are high, and there is no user \ninteraction required. There is no impact to system confidentiality or \navailability, impact to system integrity is high."}, {"lang": "es", "value": "CVE-2025-27702 es una vulnerabilidad en la consola de administraci\u00f3n de Absolute Secure Access anterior a la versi\u00f3n 13.54. Los atacantes con acceso administrativo a la consola y con ciertos permisos asignados pueden eludirlos para modificar la configuraci\u00f3n de forma indebida. La complejidad del ataque es baja, no existen requisitos previos; se requieren privilegios elevados y no se requiere interacci\u00f3n del usuario. No se ve afectada la confidencialidad ni la disponibilidad del sistema, pero s\u00ed la integridad del mismo."}], "lastModified": "2025-06-04T15:37:13.483", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:absolute:secure_access:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "30A5DDF4-1B4A-4867-8F0B-9ECD4F5A538F", "versionEndExcluding": "13.54"}], "operator": "OR"}]}], "sourceIdentifier": "SecurityResponse@netmotionsoftware.com"}