CVE-2025-12810 – An improper authentication vulnerability in Del... (How to Fix)

Q: What is the severity of CVE-2025-12810?

CVE-2025-12810 has a CVSS score of 6.5 (MEDIUM). An improper authentication vulnerability in Delinea Secret Server On-Prem allows secrets with 'change password on check in' enabled to automatically check in even when password rotation fails. This leaves secrets in an inconsistent state with incorrect passwords. Affects Secret Server On-Prem versions 11.8.1, 11.9.6, and 11.9.25.

📋 TL;DR

An improper authentication vulnerability in Delinea Secret Server On-Prem allows secrets with 'change password on check in' enabled to automatically check in even when password rotation fails. This leaves secrets in an inconsistent state with incorrect passwords. Affects Secret Server On-Prem versions 11.8.1, 11.9.6, and 11.9.25.

💻 Affected Systems

Products:

Delinea Secret Server On-Prem

Versions: 11.8.1, 11.9.6, 11.9.25

Operating Systems: Windows Server (typical deployment)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects secrets configured with 'change password on check in' enabled. Other secrets are not impacted.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Critical secrets become inaccessible with incorrect passwords, causing service disruptions and requiring manual recovery of potentially hundreds of systems.

🟠

Likely Case

Password rotation failures for managed accounts leave secrets with outdated credentials, requiring manual intervention to restore access.

🟢

If Mitigated

With proper monitoring and alerting on password rotation failures, administrators can manually intervene before significant impact occurs.

🌐 Internet-Facing: LOW - This vulnerability requires access to the Secret Server management interface and affects internal credential management.

🏢 Internal Only: HIGH - Directly impacts internal credential management and can disrupt access to critical systems managed by Secret Server.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Occurs automatically when password rotation fails under specific conditions.

Exploitation occurs automatically as part of normal system operation when password rotation fails, not requiring attacker intervention.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.9.47 or later

Vendor Advisory: https://trust.delinea.com/?tcuUid=48260de9-954d-45c2-9c66-2c9510798a0b

Restart Required: Yes

Instructions:

1. Backup Secret Server database and configuration. 2. Download version 11.9.47 or later from Delinea portal. 3. Run installer on Secret Server host. 4. Restart Secret Server services. 5. Verify upgrade completed successfully.

🔧 Temporary Workarounds

Disable automatic check-in for password rotation

all

Temporarily disable 'change password on check in' for all secrets to prevent automatic check-in when rotation fails.

Navigate to Secret Settings → Edit Secret → Password Options → Uncheck 'Change password on check in'

🧯 If You Can't Patch

Implement monitoring for password rotation failures and alert administrators immediately
Establish manual verification process for all password changes before allowing check-in

🔍 How to Verify

Check if Vulnerable:

Check Secret Server version in web interface under Help → About. If version is 11.8.1, 11.9.6, or 11.9.25, system is vulnerable.

Check Version:

Check web interface: Help → About, or query database: SELECT * FROM tbVersion

Verify Fix Applied:

After upgrade, verify version is 11.9.47 or later. Test password rotation with 'change password on check in' enabled to confirm secret remains checked out on failure.

📡 Detection & Monitoring

Log Indicators:

Password rotation failure events followed by automatic check-in events in Secret Server logs
Event IDs related to password change failures in Windows Event Logs

Network Indicators:

Increased failed authentication attempts from systems using rotated credentials

SIEM Query:

source="secret_server" AND (event_type="password_rotation_failure" AND action="check_in")

📊 Metadata

CVE ID: CVE-2025-12810

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE: CWE-287

EPSS Score: 0.02% exploit probability (5.1th percentile)

Published: January 27, 2026

Last Updated: February 6, 2026

🔗 References

https://docs.delinea.com/online-help/secret-server/release-notes/ss-rn-11-9-000047.htm Release Notes
https://trust.delinea.com/?tcuUid=48260de9-954d-45c2-9c66-2c9510798a0b Vendor Advisory
https://trust.delinea.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12810, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Secret Server by Delinea

Secret Server by Delinea

Secret Server by Delinea

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable automatic check-in for password rotation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities