Cybersecurity experts have identified a severe security vulnerability in Securden Unified PAM, allowing attackers to fully bypass authentication and gain unauthorized access to sensitive credentials and system functions.
The flaw, tracked as CVE-2025-53118 with a CVSS score of 9.4, is one of four major issues discovered in the privileged access management (PAM) platform that could lead to a complete system compromise.
How the Exploit Works
The vulnerability stems from weaknesses in session management. Attackers can access the /thirdparty-access endpoint to automatically obtain a securdensession cookie. This cookie can then be exchanged for CSRF tokens and securdenpost cookies through the /get_csrf_token URL.
Instead of validating user authorization, the system simply checks for the presence of these tokens. This flawed mechanism allows attackers to impersonate authenticated sessions without proper verification.
Discovery by Red Teaming
The vulnerabilities were uncovered during continuous red team exercises conducted by Rapid7’s Vector Command service. Analysts immediately flagged the issue as a severe risk for organizations relying on Securden for credential management and privileged access control.
Additional Vulnerabilities
Alongside the main authentication bypass, researchers identified three other critical flaws:
- CVE-2025-53119 – Unauthenticated unrestricted file upload (CVSS 7.5), enabling attackers to upload malicious scripts or binaries.
- CVE-2025-53120 – Path traversal in file uploads (CVSS 9.4), potentially allowing remote code execution.
- CVE-2025-6737 – Shared SSH key issue (CVSS 7.2) affecting Securden’s cloud gateway services, enabling unauthorized low-privilege access.
Technical Analysis and Exploitation
The authentication bypass attack is particularly dangerous due to its link with backup functionality.
- Attackers with valid session tokens can exploit the
/configure_scheduleendpoint to trigger encrypted password backups with administrator rights. - The SCHEDULE_ENCRYPTED_HTML_BACKUP option lets attackers extract entire credential databases if a superadmin account exists.
- Successful exploitation requires omitting the
X-Requested-Withheader, since the server rejects requests containing it.
Attackers can also set custom backup paths, including SMB shares or the application’s webroot directory, allowing direct download of credential files. Backup names follow predictable timestamp patterns, which makes them easier to guess and brute-force.
When combined with the file upload vulnerabilities, adversaries can achieve remote code execution by replacing system files such as postgresBackup.bat with malicious PowerShell payloads. This creates a multi-stage attack chain that escalates from simple authentication bypass to full system compromise.
Vulnerability Summary
| CVE ID | Vulnerability Name | CVSS Score | Impact | Affected Versions |
|---|---|---|---|---|
| CVE-2025-53118 | Authentication Bypass | 9.4 | Bypass authentication to access backups and steal credentials | 9.0.x – 11.3.1 |
| CVE-2025-53119 | Unauthenticated Unrestricted File Upload | 7.5 | Upload malicious binaries/scripts without authentication | 9.0.x – 11.3.1 |
| CVE-2025-53120 | Path Traversal in File Upload | 9.4 | Remote code execution via crafted file uploads | 9.0.x – 11.3.1 |
| CVE-2025-6737 | Shared SSH Key & Cloud Infrastructure | 7.2 | Low-privilege access to gateway servers using shared keys | 9.0.x – 11.3.1 |
