Platform
other
Component
google-secops-soar
Fixed in
6.3.54.0
6.3.53.2
CVE-2025-9918 is a Remote Code Execution (RCE) vulnerability discovered in Google SecOps SOAR Server. This flaw allows an authenticated attacker with Use Case import permissions to execute arbitrary code by uploading a specially crafted ZIP archive containing path traversal sequences. The vulnerability impacts versions 6.3.54.0, 6.3.53.2, and all prior versions. A fix is available in version 6.3.54.0.
The impact of CVE-2025-9918 is significant due to its potential for Remote Code Execution. A successful exploit allows an attacker to execute arbitrary commands on the SecOps SOAR server with the privileges of the user performing the import. This could lead to complete system compromise, including data exfiltration, modification of security configurations, and lateral movement within the network. The attacker's ability to import Use Cases is the primary prerequisite, highlighting the importance of access controls within the SecOps SOAR environment. This vulnerability shares similarities with other path traversal exploits where attackers leverage crafted input to access unauthorized files and execute malicious code.
CVE-2025-9918 was publicly disclosed on 2025-09-11. The exploitability of this vulnerability is considered medium due to the requirement for authenticated access and the need to craft a malicious ZIP archive. No public proof-of-concept (PoC) code has been released as of this writing. It is not currently listed on the CISA KEV catalog. The NVD entry was published on 2025-09-11.
Exploit Status
EPSS
0.49% (65% percentile)
CISA SSVC
The primary mitigation for CVE-2025-9918 is to upgrade Google SecOps SOAR Server to version 6.3.54.0 or later. If upgrading immediately is not feasible, restrict access to Use Case import functionality to only authorized personnel. Implement strict input validation on all uploaded archives, specifically looking for path traversal sequences (e.g., ../). Consider using a Web Application Firewall (WAF) to filter out malicious ZIP files containing suspicious patterns. There are no specific Sigma or YARA rules available at this time, but monitoring for unusual process execution after archive imports is recommended. After upgrading, confirm the fix by attempting to import a test ZIP archive containing a known path traversal sequence; the import should fail with an appropriate error message.
Update Google SecOps SOAR to version 6.3.54.0 or later. This will address the Path Traversal vulnerability that allows for remote code execution. See the Google security bulletin for more details.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-9918 is a Remote Code Execution vulnerability in Google SecOps SOAR Server versions 6.3.54.0 and earlier, allowing attackers to execute code via malicious ZIP archives.
If you are running Google SecOps SOAR version 6.3.54.0 or earlier, you are potentially affected by this vulnerability. Upgrade to 6.3.54.0 or later to mitigate the risk.
The recommended fix is to upgrade Google SecOps SOAR Server to version 6.3.54.0 or later. As a temporary workaround, restrict Use Case import permissions and implement strict input validation.
There are currently no confirmed reports of active exploitation of CVE-2025-9918, but the vulnerability's RCE nature warrants immediate attention and remediation.
Refer to the official Google Security Blog and the Google SecOps SOAR release notes for the latest information and advisory regarding CVE-2025-9918.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.