CVE-2025-22270: CyberArk Endpoint Privilege Manager SaaS Administration Panel Code Injection Vulnerability

A recently discovered vulnerability identified as CVE-2025-22270 affects CyberArk Endpoint Privilege Manager's SaaS version 24.7.1, allowing for code injection through the Administration Panel. Specifically, an attacker with access to the "Role Management" tab can successfully inject malicious code by adding a new role within the "name" field.

It is important to note that the risk of exploiting this vulnerability is reduced due to the requirement of an additional error that allows bypassing the Content-Security-Policy (CSP) policy. This policy mitigates JavaScript (JS) code execution but still allows HTML injection. The status of other CyberArk versions remains unknown.

Despite multiple attempts to contact the vendor, we have not received any responses. In this post, we provide you with a code snippet showcasing the vulnerability, alongside links to the original references and further exploit details.

Code snippet

The following code snippet demonstrates how an attacker can inject code through the "name" field in the "Role Management" tab:

<!-- Vulnerable input -->
<input type="text" name="role_name" value="">

<!-- Injected payload -->
<select autofocus onfocus="alert(document.cookie);">

By injecting the payload, the attacker can cause the CSP policy to be bypassed, thereby allowing code execution.

Original references

1. CVE-2025-22270: Details and Information
2. Exploit Database: CyberArk Endpoint Privilege Manager Code Injection

Exploit details

In order to exploit this vulnerability, the attacker needs access to the Administration Panel and the "Role Management" tab. By adding a new role with a malicious code payload in the "name" field, they can successfully inject code into the system. However, it is worth noting that the risk of exploiting this vulnerability is reduced due to the necessity of an additional error that allows bypassing the CSP policy. This policy mitigates JS code execution while still allowing HTML injections.

To protect against this vulnerability, organizations should ensure proper secure coding practices, and if possible, configure the CSP policy to deny any inline code execution attempts. It is also crucial to always keep software up-to-date and closely monitor vendor communications for possible vulnerability reports and patches.

Conclusion

CVE-2025-22270 is a code injection vulnerability involving CyberArk Endpoint Privilege Manager SaaS version 24.7.1. The risk of exploitation is reduced due to the requirement of an additional error allowing for the bypass of the CSP policy. This policy mitigates JS code execution but does allow HTML injections. The vendor has not provided any official response or solution as of now, but organizations should remain vigilant by implementing proper secure coding practices and regularly updating their software.

Timeline

Published on: 02/28/2025 13:15:27 UTC
Last modified on: 03/05/2025 16:15:37 UTC