CVE-2025-22271

MEDIUM

CyberArk Endpoint Privilege Manager <24.7.1 - SSRF

Title source: llm

Description

The application or its infrastructure allows for IP address spoofing by providing its own value in the "X-Forwarded-For" header. Thus, the action logging mechanism in the application loses accountability This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer.

References (3)

[Various Sources] https://cert.pl/en/posts/2025/02/CVE-2025-22270/

[Various Sources] https://cert.pl/posts/2025/02/CVE-2025-22270/

[Various Sources] https://docs.cyberark.com/epm/24.7.1/en/content/resources/_topnav/cc_home.htm

Scores

CVSS v4 6.9

EPSS 0.0013

EPSS Percentile 32.0%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-290

Status published

Products (1)

CyberArk/Endpoint Privilege Manager 24.7.1

Published Feb 28, 2025

Tracked Since Feb 18, 2026