CVE-2025-27690

Workaround:

• These independent workarounds can be in place until an upgrade to a fixed release, or patch can be applied. Note: Authentication Provider hash types can be viewed with isi auth file view System in the "Password Hash Type" entry. Workaround 1: Add the impacted users to the "Users who cannot be modified" list. For clusters that have not switched to SHA256 or SHA512 hash types: isi auth file modify System --add-unmodifiable-users=compadmin,remotesupport,ese,insightiq,www,nobody,git_daemon,isdmgmt --remove-modifiable-users=compadmin,remotesupport,ese,insightiq,www,nobody,git_daemon,isdmgmt --restrict-modifiable=true For clusters that have switched to SHA256 or SHA512 hash types: Add above users, but also include other file provider users with system privileges: isi auth file modify System --add-unmodifiable-users=root,admin --remove-modifiable-users=root,admin --restrict-modifiable=true Once the patch is applied, if you use the users, you can make them modifiable again. Workaround 2: For clusters that have not switched to SHA256 or SHA512 hash types. Set/reset password for users that are not blocked for modification in the System zone file provider, as well as disabling them. * compadmin, remotesupport, ese, insightiq, www, nobody, git_daemon, isdmgmt Workaround 3: Disable the WebUI and API via CLI isi http services modify Platform-API-External --enabled=false This does not completely mitigate the issue as it could still be abused by users with ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH. Workaround 4: Limit access to API & WebUI to trusted networks via firewall rule * Enable the firewall * In "default_pools_policy" modify "rule_isi_webui" to restrict "source network" to a trusted set of networks/IPs This does not completely mitigate the issue as it could still be abused by users with ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH, as well as users on the IPs allowed through the firewall.