CVE-2025-22956
📋 TL;DR
OPSI versions before 4.3 allow any client to access ProductPropertyState data belonging to other clients, potentially exposing sensitive information like domain join passwords. This information disclosure vulnerability affects all OPSI deployments using vulnerable versions and could lead to privilege escalation.
💻 Affected Systems
- OPSI (Open PC Server Integration)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain domain administrator credentials via exposed domain join passwords, leading to complete network compromise and lateral movement across the entire domain.
Likely Case
Unauthorized access to sensitive configuration data and credentials stored in ProductPropertyState, enabling privilege escalation within the OPSI-managed environment.
If Mitigated
Limited exposure of non-sensitive configuration data with minimal impact if no secrets are stored in ProductPropertyState.
🎯 Exploit Status
Exploitation requires client access to OPSI but no special privileges. The vulnerability is in the API/data access controls.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.3
Vendor Advisory: https://opsi.org/en/product/releases/#4.3-20250129054911
Restart Required: Yes
Instructions:
1. Backup OPSI configuration and data. 2. Download OPSI 4.3 from official repository. 3. Stop OPSI services. 4. Install the update. 5. Restart OPSI services. 6. Verify functionality.
🔧 Temporary Workarounds
Network Segmentation
allRestrict OPSI server access to only trusted management clients
Credential Rotation
allRotate any credentials that may have been exposed in ProductPropertyState
🧯 If You Can't Patch
- Implement strict network access controls to limit which clients can connect to OPSI
- Audit and remove any sensitive credentials from ProductPropertyState configurations
🔍 How to Verify
Check if Vulnerable:
Check OPSI version via web interface or command line. Versions below 4.3 are vulnerable.Check Version:
opsi-admin -d info | grep versionVerify Fix Applied:
Verify OPSI version is 4.3 or higher and test that clients cannot access other clients' ProductPropertyState data.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to ProductPropertyState API endpoints
- Multiple failed authentication attempts followed by successful data retrieval
Network Indicators:
- Unusual client IP addresses accessing OPSI API endpoints
- High volume of ProductPropertyState queries from single client
SIEM Query:
source="opsi.log" AND ("ProductPropertyState" OR "property retrieval") AND src_ip NOT IN [trusted_management_ips]