Description
Agiloft Release 28 contains several accounts with default credentials that could allow local privilege escalation. The password hash is known for at least one of the accounts and the credentials could be cracked offline. Users should upgrade to Agiloft Release 30.
References (3)
Core 3
Core References
Third Party Advisory
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-239-01.json
Release Notes, Vendor Advisory
https://wiki.agiloft.com/display/HELP/What%27s+New%3A+CVE+Resolution
Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2025-35114
Scores
CVSS v3
7.5
EPSS
0.0031
EPSS Percentile
22.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-1392
Status
published
Products (1)
atlassian/agiloft
19 - 30
Published
Aug 26, 2025
Tracked Since
Feb 18, 2026