Plataforma
other
Componente
secret-server-on-prem
Corregido en
11.8.2
11.9.7
11.9.26
CVE-2025-12810 describes an Improper Authentication vulnerability discovered in Delinea Secret Server On-Prem. This flaw allows a secret with 'change password on check in' enabled to remain in an inconsistent state, potentially exposing credentials, when a password change fails after multiple retries. The vulnerability impacts versions 11.8.1 through 11.9.25 and is addressed by upgrading to version 11.9.47 or later.
The core impact of CVE-2025-12810 lies in the potential exposure of sensitive credentials. When a password change attempt fails after reaching its retry limit, the secret remains checked out with the incorrect password. This creates a window of opportunity for unauthorized access to the secret's contents, potentially including API keys, database passwords, or other critical information. The blast radius extends to any system or application relying on the compromised secret, leading to potential data breaches, service disruptions, and unauthorized actions. While the vulnerability doesn't inherently enable remote code execution, the compromised credentials can be leveraged for lateral movement within the network, escalating the impact.
CVE-2025-12810 was publicly disclosed on 2026-01-27. There is no indication of active exploitation or KEV listing at this time. No public proof-of-concept exploits are currently available. The EPSS score is pending evaluation.
Organizations heavily reliant on Secret Server On-Prem for managing sensitive credentials, particularly those utilizing the 'change password on check in' feature, are at increased risk. Legacy deployments running older, unpatched versions (11.8.1 – 11.9.25) are especially vulnerable.
disclosure
Estado del Exploit
EPSS
0.03% (9% percentil)
CISA SSVC
The primary mitigation for CVE-2025-12810 is to upgrade Secret Server On-Prem to version 11.9.47 or later. This resolves the underlying issue preventing the inconsistent state. If an immediate upgrade is not feasible, consider temporarily disabling the 'change password on check in' feature for sensitive secrets. This will prevent automatic password changes and reduce the risk of the vulnerability being exploited. Monitor Secret Server logs for any unusual activity or failed password change attempts. After upgrading, verify the integrity of all secrets by manually checking their passwords and ensuring they are correctly synchronized with the intended systems.
Actualice Secret Server On-Prem a la versión 11.9.47 o posterior. Esta actualización corrige el problema que permitía la reutilización de credenciales después de un fallo en la rotación de contraseñas. Al actualizar, el secreto permanecerá desprotegido cuando el cambio de contraseña falle.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-12810 is a vulnerability in Delinea Secret Server On-Prem where failed password changes can leave secrets in an inconsistent state, potentially exposing credentials. Severity is pending evaluation.
If you are using Secret Server On-Prem versions 11.8.1 through 11.9.25, you are potentially affected by this vulnerability. Upgrade to 11.9.47 or later to mitigate the risk.
The recommended fix is to upgrade Secret Server On-Prem to version 11.9.47 or later. As a temporary workaround, disable the 'change password on check in' feature.
There is currently no evidence of active exploitation of CVE-2025-12810.
Please refer to the official Delinea security advisory for detailed information and updates regarding CVE-2025-12810.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.