Incorrect Privilege Assignment

CVE-2025-27028

Medium

6.8/10

Summary

The Linux deprivileged user vpuser in Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20) can read the entire file system content, including files belonging to other users and having restricted access (like, for example, the root password hash).

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: CHANGED
User Interaction: NONE
Privileges Required: HIGH
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-266 - Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

References

Advisory Timeline

Published Jul 09, 2025

Incorrect Privilege Assignment

CVE-2025-27028

Summary

CWE-266 - Incorrect Privilege Assignment

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS