プラットフォーム
other
コンポーネント
secret-server-on-prem
修正版
11.8.2
11.9.7
11.9.26
CVE-2025-12810 describes an Improper Authentication vulnerability discovered in Delinea Secret Server On-Prem. This flaw allows a secret with 'change password on check in' enabled to remain in an inconsistent state, potentially exposing credentials, when a password change fails after multiple retries. The vulnerability impacts versions 11.8.1 through 11.9.25 and is addressed by upgrading to version 11.9.47 or later.
The core impact of CVE-2025-12810 lies in the potential exposure of sensitive credentials. When a password change attempt fails after reaching its retry limit, the secret remains checked out with the incorrect password. This creates a window of opportunity for unauthorized access to the secret's contents, potentially including API keys, database passwords, or other critical information. The blast radius extends to any system or application relying on the compromised secret, leading to potential data breaches, service disruptions, and unauthorized actions. While the vulnerability doesn't inherently enable remote code execution, the compromised credentials can be leveraged for lateral movement within the network, escalating the impact.
CVE-2025-12810 was publicly disclosed on 2026-01-27. There is no indication of active exploitation or KEV listing at this time. No public proof-of-concept exploits are currently available. The EPSS score is pending evaluation.
Organizations heavily reliant on Secret Server On-Prem for managing sensitive credentials, particularly those utilizing the 'change password on check in' feature, are at increased risk. Legacy deployments running older, unpatched versions (11.8.1 – 11.9.25) are especially vulnerable.
disclosure
エクスプロイト状況
EPSS
0.03% (9% パーセンタイル)
CISA SSVC
The primary mitigation for CVE-2025-12810 is to upgrade Secret Server On-Prem to version 11.9.47 or later. This resolves the underlying issue preventing the inconsistent state. If an immediate upgrade is not feasible, consider temporarily disabling the 'change password on check in' feature for sensitive secrets. This will prevent automatic password changes and reduce the risk of the vulnerability being exploited. Monitor Secret Server logs for any unusual activity or failed password change attempts. After upgrading, verify the integrity of all secrets by manually checking their passwords and ensuring they are correctly synchronized with the intended systems.
Secret Server On-Premをバージョン11.9.47以降にアップデートしてください。このアップデートは、パスワードローテーションの失敗後に認証情報を再利用できる問題を修正します。アップデート後、パスワード変更が失敗した場合、シークレットはチェックアウトされたままになります。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-12810 is a vulnerability in Delinea Secret Server On-Prem where failed password changes can leave secrets in an inconsistent state, potentially exposing credentials. Severity is pending evaluation.
If you are using Secret Server On-Prem versions 11.8.1 through 11.9.25, you are potentially affected by this vulnerability. Upgrade to 11.9.47 or later to mitigate the risk.
The recommended fix is to upgrade Secret Server On-Prem to version 11.9.47 or later. As a temporary workaround, disable the 'change password on check in' feature.
There is currently no evidence of active exploitation of CVE-2025-12810.
Please refer to the official Delinea security advisory for detailed information and updates regarding CVE-2025-12810.