Plattform
other
Komponente
google-secops-soar
Behoben in
6.3.54.0
6.3.53.2
CVE-2025-9918 is a Remote Code Execution (RCE) vulnerability discovered in Google SecOps SOAR Server. This flaw allows an authenticated attacker with Use Case import permissions to execute arbitrary code by uploading a specially crafted ZIP archive containing path traversal sequences. The vulnerability impacts versions 6.3.54.0, 6.3.53.2, and all prior versions. A fix is available in version 6.3.54.0.
The impact of CVE-2025-9918 is significant due to its potential for Remote Code Execution. A successful exploit allows an attacker to execute arbitrary commands on the SecOps SOAR server with the privileges of the user performing the import. This could lead to complete system compromise, including data exfiltration, modification of security configurations, and lateral movement within the network. The attacker's ability to import Use Cases is the primary prerequisite, highlighting the importance of access controls within the SecOps SOAR environment. This vulnerability shares similarities with other path traversal exploits where attackers leverage crafted input to access unauthorized files and execute malicious code.
CVE-2025-9918 was publicly disclosed on 2025-09-11. The exploitability of this vulnerability is considered medium due to the requirement for authenticated access and the need to craft a malicious ZIP archive. No public proof-of-concept (PoC) code has been released as of this writing. It is not currently listed on the CISA KEV catalog. The NVD entry was published on 2025-09-11.
Organizations heavily reliant on Google SecOps SOAR for security orchestration and automation are at risk. Specifically, environments where multiple users have permissions to import Use Cases, or where access controls are not strictly enforced, are particularly vulnerable. Shared hosting environments utilizing SecOps SOAR also present a heightened risk due to the potential for cross-tenant exploitation.
• linux / server: Monitor system logs (journalctl) for suspicious process execution following Use Case imports. Specifically, look for processes spawned from the SecOps SOAR server with unexpected command-line arguments.
journalctl -u google-secops-soar -f | grep -i 'path traversal'• other: Review SecOps SOAR audit logs for any unusual archive import activity or errors related to file access. Examine the server's file system for unexpected files or modifications. • generic web: If SecOps SOAR exposes an API for importing Use Cases, test it with a benign ZIP archive to ensure proper input validation and error handling.
disclosure
Exploit-Status
EPSS
0.49% (65% Perzentil)
CISA SSVC
The primary mitigation for CVE-2025-9918 is to upgrade Google SecOps SOAR Server to version 6.3.54.0 or later. If upgrading immediately is not feasible, restrict access to Use Case import functionality to only authorized personnel. Implement strict input validation on all uploaded archives, specifically looking for path traversal sequences (e.g., ../). Consider using a Web Application Firewall (WAF) to filter out malicious ZIP files containing suspicious patterns. There are no specific Sigma or YARA rules available at this time, but monitoring for unusual process execution after archive imports is recommended. After upgrading, confirm the fix by attempting to import a test ZIP archive containing a known path traversal sequence; the import should fail with an appropriate error message.
Actualice Google SecOps SOAR a la versión 6.3.54.0 o posterior. Esto solucionará la vulnerabilidad de Path Traversal que permite la ejecución remota de código. Consulte el boletín de seguridad de Google para obtener más detalles.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-9918 is a Remote Code Execution vulnerability in Google SecOps SOAR Server versions 6.3.54.0 and earlier, allowing attackers to execute code via malicious ZIP archives.
If you are running Google SecOps SOAR version 6.3.54.0 or earlier, you are potentially affected by this vulnerability. Upgrade to 6.3.54.0 or later to mitigate the risk.
The recommended fix is to upgrade Google SecOps SOAR Server to version 6.3.54.0 or later. As a temporary workaround, restrict Use Case import permissions and implement strict input validation.
There are currently no confirmed reports of active exploitation of CVE-2025-9918, but the vulnerability's RCE nature warrants immediate attention and remediation.
Refer to the official Google Security Blog and the Google SecOps SOAR release notes for the latest information and advisory regarding CVE-2025-9918.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.