CVE-2025-22274 - HTML Injection Vulnerability in CyberArk Endpoint Privilege Manager (SaaS version 24.7.1)

Recently, a vulnerability has been discovered in CyberArk Endpoint Privilege Manager, which allows malicious actors to inject HTML code into certain parts of the application. This can lead to various security issues like Cross-Site Scripting (XSS), data manipulation, and potential redirection to malicious websites. The vulnerability has been assigned the identifier CVE-2025-22274.

Exploit Details

The vulnerability exists in the "Application definition" page of the CyberArk Endpoint Privilege Manager, specifically in the "content" field. An attacker can input HTML code into this field, which will be interpreted and executed by the browser when the page is rendered. As a result, the HTML code has the potential to execute scripts, redirect users to malicious websites, or even manipulate data within the application.

Affected Product and Version

The vulnerability affects CyberArk Endpoint Privilege Manager in the SaaS version 24.7.1. The status of other versions is currently unknown, as CyberArk has not responded to multiple attempts to contact them regarding this issue.

Here is a sample code snippet demonstrating how the exploit can be carried out

<!doctype html>
<html>
<head>
  <title>CVE-2025-22274 - Exploit Example</title>
</head>
<body>
  <form action="http://<CYBERARK_ENDPOINT_PRIVILEGE_MANAGER_URL>/ApplicationDefinition"; method="POST">
    <input type="hidden" name="content" value='<script>alert("XSS Vulnerability");</script>'>
    <input type="submit" value="Submit Exploit">
  </form>
</body>
</html>

When a user clicks on the "Submit Exploit" button, the page sends a POST request to the targeted CyberArk Endpoint Privilege Manager URL with the malicious script in the "content" field. Once the script is stored, every subsequent rendering of that page will cause the script to execute in the user's browser.

Mitigation and Workarounds

Until CyberArk releases a patch to address this issue, it is advised to closely monitor user input in the "content" field of the "Application definition" page or limit access to the field, ensuring that only trusted users have the ability to modify it.

Additionally, organizations can implement a Content Security Policy (CSP) to restrict the sources of scripts that can be executed in the browser. This can potentially prevent any injected scripts from being executed. Detailed information on how to implement a CSP can be found in the Mozilla Developer Network documentation.

Conclusion

CyberArk Endpoint Privilege Manager contains an exploitable HTML injection vulnerability (CVE-2025-22274) in the SaaS version 24.7.1. This can lead to significant security issues and potential damage to users and organizations. It is essential for affected users to implement the suggested mitigation measures until CyberArk releases a patch to address this vulnerability.

References

1. CVE-2025-22274 - Vulnerability Details
2. CyberArk Endpoint Privilege Manager - Official Website
3. Mozilla Developer Network - Content Security Policy

Timeline

Published on: 02/28/2025 13:15:28 UTC
Last modified on: 03/05/2025 16:15:38 UTC