CVE-2025-4692

ABUP IoT Cloud Platform Incorrect Privilege Assignment

Description

Actors can use a maliciously crafted JavaScript object notation (JSON) web token (JWT) to perform privilege escalation by submitting the malicious JWT to a vulnerable method exposed on the cloud platform. If the exploit is successful, the user can escalate privileges to access any device managed by the ABUP Cloud Update Platform.

Remediation

Solution:

  • ABUP did not respond to CISA's request for coordination. The vulnerable method has been removed by the vendor and is no longer accessible. Users of the cloud platform do not need to take any action. Legitimate users of the cloud update platform should be aware that there was a period of exposure that ended on 19 April 2025 and should consider modifying authentication information.

Category

5.9
CVSS
Severity: Medium
CVSS 4.0 •
CVSS 3.1 •
EPSS 0.03%
Affected: ABUP ABUP IoT Cloud Platform
Published at:
Updated at:

References

Link Tags
https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-01

Frequently Asked Questions

What is the severity of CVE-2025-4692?
CVE-2025-4692 has been scored as a medium severity vulnerability.
How to fix CVE-2025-4692?
To fix CVE-2025-4692: ABUP did not respond to CISA's request for coordination. The vulnerable method has been removed by the vendor and is no longer accessible. Users of the cloud platform do not need to take any action. Legitimate users of the cloud update platform should be aware that there was a period of exposure that ended on 19 April 2025 and should consider modifying authentication information.
Is CVE-2025-4692 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-4692 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-4692?
CVE-2025-4692 affects ABUP ABUP IoT Cloud Platform.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.