CVE-2025-13428 – This vulnerability allows authenticated users w... (How to Fix)

📋 TL;DR

This vulnerability allows authenticated users with IDE role permissions in SecOps SOAR servers to achieve remote code execution by uploading malicious Python packages. The weak validation of uploaded code enables attackers to compromise the server. All customers using affected versions are impacted, but automatic upgrades have been deployed.

💻 Affected Systems

Products:

SecOps SOAR server

Versions: Versions below 6.3.64

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with IDE role; custom integrations feature must be enabled

📦 What is this software?

Security Operations Soar by Google

View all CVEs affecting Security Operations Soar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing data exfiltration, lateral movement, and persistent backdoor installation

🟠

Likely Case

Unauthorized code execution leading to data access, privilege escalation, and potential ransomware deployment

🟢

If Mitigated

Limited impact due to required authentication and IDE role, with proper network segmentation and monitoring

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with specific role; Python package upload and installation process is well-documented

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.3.64 or higher

Vendor Advisory: https://cloud.google.com/support/bulletins#gcp-2025-075

Restart Required: Yes

Instructions:

1. Verify automatic upgrade to version 6.3.64+ completed
2. If not upgraded, manually update to version 6.3.64 or higher
3. Restart the SOAR server service
4. Verify the update was successful

🔧 Temporary Workarounds

Disable custom integrations feature

all

Temporarily disable the custom integrations functionality to prevent package uploads

# Check SOAR configuration for custom integrations setting
# Disable via admin interface or configuration file

Restrict IDE role permissions

all

Temporarily remove IDE role from users who don't absolutely need it

# Review and modify user role assignments in SOAR admin panel

🧯 If You Can't Patch

Implement strict network segmentation to isolate SOAR server from critical systems
Enable enhanced logging and monitoring for package upload activities and suspicious process execution

🔍 How to Verify

Check if Vulnerable:

Check SOAR server version via admin interface or version command; versions below 6.3.64 are vulnerable

Check Version:

# Check version via SOAR admin interface or system status command

Verify Fix Applied:

Confirm version is 6.3.64 or higher and test that malicious package uploads are properly validated

📡 Detection & Monitoring

Log Indicators:

Unusual Python package uploads
setup.py execution events
Process creation from package installation
IDE role user performing unexpected actions

Network Indicators:

Outbound connections from SOAR server to unexpected destinations
Unusual data exfiltration patterns

SIEM Query:

source="soar_server" AND (event="package_upload" OR event="setup_execution") AND user.role="IDE"

📊 Metadata

CVE ID: CVE-2025-13428

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

EPSS Score: 0.16% exploit probability (37.2th percentile)

Published: December 9, 2025

Last Updated: February 3, 2026

🔗 References

https://cloud.google.com/support/bulletins#gcp-2025-075 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13428, you might also want to check these: