CVE-2025-22273
CRITICALCyberArk Endpoint Privilege Manager <24.7.1 - DoS
Title source: llmDescription
Application does not limit the number or frequency of user interactions, such as the number of incoming requests. At the "/EPMUI/VfManager.asmx/ChangePassword" endpoint it is possible to perform a brute force attack on the current password in use. This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer.
References (3)
Core 3
Core References
Various Sources third-party-advisory
https://cert.pl/en/posts/2025/02/CVE-2025-22270/
Various Sources third-party-advisory
https://cert.pl/posts/2025/02/CVE-2025-22270/
Various Sources product
https://docs.cyberark.com/epm/24.7.1/en/content/resources/_topnav/cc_home.htm
Scores
CVSS v4
9.3
EPSS
0.0057
EPSS Percentile
42.6%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-770
Status
published
Products (1)
CyberArk/Endpoint Privilege Manager
24.7.1
Published
Feb 28, 2025
Tracked Since
Feb 18, 2026