CVE-2025-12772
📋 TL;DR
Brocade SANnav versions before 2.4.0b log the Fabric OS Switch admin password in clear text within support save logs and heap dump files during out-of-memory conditions. This vulnerability allows remote authenticated attackers with admin privileges to read sensitive switch credentials. Organizations using Brocade SANnav for storage area network management are affected.
💻 Affected Systems
- Brocade SANnav
📦 What is this software?
Sannav by Broadcom
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to Brocade Fabric OS Switches, potentially compromising the entire SAN infrastructure, exfiltrating sensitive data, or disrupting storage operations.
Likely Case
Privileged insiders or compromised admin accounts access switch passwords, leading to unauthorized configuration changes or lateral movement within the storage network.
If Mitigated
With proper access controls and monitoring, impact is limited to credential exposure requiring password rotation and forensic investigation.
🎯 Exploit Status
Exploitation requires authenticated admin access to SANnav logs or support save files; no special tools needed beyond file access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.0b
Vendor Advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36846
Restart Required: Yes
Instructions:
1. Download Brocade SANnav 2.4.0b from Broadcom support portal. 2. Backup current configuration and logs. 3. Install update following vendor documentation. 4. Restart SANnav services. 5. Verify version with 'sannav --version' command.
🔧 Temporary Workarounds
Restrict Log Access
linuxImplement strict file permissions on SANnav log directories to prevent unauthorized access to support save files and heap dumps.
chmod 750 /var/log/sannav
chown sannav:admin /var/log/sannav
Disable Heap Dumps
linuxConfigure SANnav to not generate heap dumps during OOM conditions (may impact debugging capabilities).
export SANNAV_HEAP_DUMP_DISABLED=1
🧯 If You Can't Patch
- Rotate all Brocade Fabric OS Switch admin passwords immediately and monitor for unauthorized access.
- Implement strict access controls to SANnav log directories and monitor file access patterns for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check SANnav version: if below 2.4.0b, search support save logs for password strings using grep -r 'password' /var/log/sannav/support_save/Check Version:
sannav --versionVerify Fix Applied:
Confirm version is 2.4.0b or higher with 'sannav --version' and verify no passwords appear in recent support save logs.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access to /var/log/sannav/support_save/ directories
- Large heap dump file creation during OOM events
- Password strings in log files
Network Indicators:
- Unexpected SSH/RDP connections to Brocade switches from SANnav servers
- Anomalous switch configuration changes
SIEM Query:
source="/var/log/sannav/" AND (event="file_access" OR event="heap_dump") AND user NOT IN ["sannav_admin", "system"]