Platform
other
Component
secret-server-on-prem
Fixed in
11.8.2
11.9.7
11.9.26
CVE-2025-12810 describes an Improper Authentication vulnerability discovered in Delinea Secret Server On-Prem. This flaw allows a secret with 'change password on check in' enabled to remain in an inconsistent state, potentially exposing credentials, when a password change fails after multiple retries. The vulnerability impacts versions 11.8.1 through 11.9.25 and is addressed by upgrading to version 11.9.47 or later.
The core impact of CVE-2025-12810 lies in the potential exposure of sensitive credentials. When a password change attempt fails after reaching its retry limit, the secret remains checked out with the incorrect password. This creates a window of opportunity for unauthorized access to the secret's contents, potentially including API keys, database passwords, or other critical information. The blast radius extends to any system or application relying on the compromised secret, leading to potential data breaches, service disruptions, and unauthorized actions. While the vulnerability doesn't inherently enable remote code execution, the compromised credentials can be leveraged for lateral movement within the network, escalating the impact.
CVE-2025-12810 was publicly disclosed on 2026-01-27. There is no indication of active exploitation or KEV listing at this time. No public proof-of-concept exploits are currently available. The EPSS score is pending evaluation.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
The primary mitigation for CVE-2025-12810 is to upgrade Secret Server On-Prem to version 11.9.47 or later. This resolves the underlying issue preventing the inconsistent state. If an immediate upgrade is not feasible, consider temporarily disabling the 'change password on check in' feature for sensitive secrets. This will prevent automatic password changes and reduce the risk of the vulnerability being exploited. Monitor Secret Server logs for any unusual activity or failed password change attempts. After upgrading, verify the integrity of all secrets by manually checking their passwords and ensuring they are correctly synchronized with the intended systems.
Upgrade Secret Server On-Prem to version 11.9.47 or later. This update addresses the issue that allowed credential reuse after a password rotation failure. Upon upgrading, the secret will remain checked out when the password change fails.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-12810 is a vulnerability in Delinea Secret Server On-Prem where failed password changes can leave secrets in an inconsistent state, potentially exposing credentials. Severity is pending evaluation.
If you are using Secret Server On-Prem versions 11.8.1 through 11.9.25, you are potentially affected by this vulnerability. Upgrade to 11.9.47 or later to mitigate the risk.
The recommended fix is to upgrade Secret Server On-Prem to version 11.9.47 or later. As a temporary workaround, disable the 'change password on check in' feature.
There is currently no evidence of active exploitation of CVE-2025-12810.
Please refer to the official Delinea security advisory for detailed information and updates regarding CVE-2025-12810.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.