Researchers report flaws in Securden Unified PAM, at least one critical

Rapid7 security researchers are reporting four vulnerabilities in Securden Unified PAM that allow unauthenticated attackers to compromise privileged access management infrastructure and steal stored credentials. 

Three of the discovered vulnerabilities enable attackers to bypass authentication mechanisms and achieve unauthenticated remote code execution. The fourth vulnerability exposes multi-tenant infrastructure sharing issue that could lead to cross-customer exploitation. 

Vulnerabilities summary:

• CVE-2025-53118 (CVSS score 9.4) - Authentication bypass vulnerability that allows unauthenticated attackers to control administrator backup functions. This flaw enables attackers to manipulate session cookies and CSRF tokens obtained from endpoints to bypass authentication protections and access sensitive backup functionality.
• CVE-2025-53120 (CVSS score 9.4) - Path traversal vulnerability in unauthenticated upload functionality that enables malicious actors to upload binaries and scripts to server configuration and web root directories. This flaw achieves remote code execution by allowing file uploads to any directory with any filename.
• CVE-2025-53119 (CVSS score 7.45 - Unauthenticated unrestricted file upload vulnerability that allows attackers to upload malicious binaries and scripts to the server. This vulnerability permits uploading arbitrary files without proper filetype validation to the server's web recordings directory.
• CVE-2025-6737 (CVSS score 7.2) - Shared SSH key and cloud infrastructure vulnerability where Securden's Remote Vendor Gateway access portal shares infrastructure and access tokens across multiple tenants. This allows malicious actors to obtain authentication material and access gateway servers with low-privilege permissions.

Conceptual attack sequence

1. Authentication Bypass (CVE-2025-53118) - Attackers browse to /thirdparty-access to obtain a securdensession cookie, then use it at /get_csrf_token to acquire CSRF tokens and securdenpost cookies, effectively bypassing the entire authentication system without valid credentials
2. Credential Exfiltration (CVE-2025-53118) - Using the bypassed authentication, attackers access the /configure_schedule endpoint to trigger encrypted password exports with attacker-controlled passphrases, directing backup files to remote SMB shares or the application's /static/ webroot for easy retrieval of all stored passwords, secrets, and session tokens.
3. Remote Code Execution (CVE-2025-53119 & CVE-2025-53120) - Attackers exploit file upload vulnerabilities through /accountapp/upload_web_recordings_from_api_server to upload malicious files that overwrite critical system scripts like postgresBackup.bat with reverse shell payloads, achieving persistent backdoor access that executes during routine database backup operations with privileged system permissions.
4. Cross-Customer Exploitation (CVE-2025-6737) - Through the multi-tenant infrastructure vulnerability, attackers can use shared SSH keys and access tokens used by Securden's Remote Vendor Gateway to establish unauthorized tunnels to other customer environments, potentially accessing multiple organizations through the same compromised infrastructure.

Vulnerable Securden Unified PAM versions:

• All versions from 9.0.x through 11.3.1 are affected by all four vulnerabilities

Patched version:

• Securden Unified PAM version 11.4.4 and higher contain fixes for all disclosed vulnerabilities

Based on testing conducted by Rapid7 researchers, exploitation of CVE-2025-53119 and CVE-2025-53120 was not viable on version 9.0.1, but was confirmed as exploitable on version 11.1.x and later releases.

Organizations using Securden Unified PAM should upgrade to version 11.4.4 or higher and perform security assessments to determine if their systems have been compromised. They should examine web server logs for requests to /thirdparty-access, /get_csrf_token, and /configure_schedule endpoints that may indicate authentication bypass attempts. Key indicators of potential exploitation include unusual database backup activities, unexpected file modifications in system directories, and unauthorized access to administrative functions without corresponding authentication logs.