CVE-2025-35431 – CVE-2025-35431 is an LDAP injection vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-35431?

CVE-2025-35431 has a CVSS score of 5.4 (MEDIUM). CVE-2025-35431 is an LDAP injection vulnerability in CISA Thorium that allows authenticated attackers to modify LDAP authorization data like group memberships. This affects Thorium versions before 1.1.1 where user-controlled strings aren't properly escaped in LDAP queries. Organizations using vulnerable Thorium versions for identity management are impacted.

📋 TL;DR

CVE-2025-35431 is an LDAP injection vulnerability in CISA Thorium that allows authenticated attackers to modify LDAP authorization data like group memberships. This affects Thorium versions before 1.1.1 where user-controlled strings aren't properly escaped in LDAP queries. Organizations using vulnerable Thorium versions for identity management are impacted.

💻 Affected Systems

Products:

CISA Thorium

Versions: All versions before 1.1.1

Operating Systems: Any OS running Thorium

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to Thorium with LDAP integration enabled.

📦 What is this software?

Thorium by Cisa

View all CVEs affecting Thorium →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could escalate privileges, modify group memberships to gain unauthorized access to sensitive systems, or manipulate LDAP directory data.

🟠

Likely Case

Authenticated users could modify their own group memberships to gain access to resources they shouldn't have, potentially leading to privilege escalation.

🟢

If Mitigated

With proper network segmentation and least privilege access, impact would be limited to the Thorium application's scope.

🌐 Internet-Facing: MEDIUM - If Thorium is internet-facing, attackers could exploit after obtaining valid credentials.

🏢 Internal Only: MEDIUM - Internal attackers with credentials could exploit to escalate privileges within the organization.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access and knowledge of LDAP injection techniques. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.1

Vendor Advisory: https://github.com/cisagov/thorium/releases/tag/1.1.1

Restart Required: No

Instructions:

1. Download Thorium 1.1.1 from GitHub releases. 2. Replace existing Thorium installation with new version. 3. Verify LDAP queries now properly escape user input.

🔧 Temporary Workarounds

Restrict Thorium Access

all

Limit access to Thorium to only authorized administrators using network controls.

Implement LDAP Query Monitoring

all

Monitor LDAP queries for suspicious patterns or injection attempts.

🧯 If You Can't Patch

Implement strict input validation for all user-controlled strings used in LDAP queries
Apply network segmentation to isolate Thorium from critical LDAP infrastructure

🔍 How to Verify

Check if Vulnerable:

Check Thorium version - if below 1.1.1 and using LDAP integration, system is vulnerable.

Check Version:

Check Thorium configuration or deployment manifest for version information

Verify Fix Applied:

Verify Thorium version is 1.1.1 or higher and test LDAP queries with special characters to ensure proper escaping.

📡 Detection & Monitoring

Log Indicators:

Unusual LDAP query patterns from Thorium
Multiple failed LDAP queries with special characters
Unexpected group membership changes

Network Indicators:

Unusual LDAP traffic volume from Thorium server
LDAP queries containing special characters like *, (, ), &, |

SIEM Query:

source="thorium" AND (ldap_query CONTAINS "*" OR ldap_query CONTAINS "(" OR ldap_query CONTAINS ")")

📊 Metadata

CVE ID: CVE-2025-35431

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-90

EPSS Score: 0.04% exploit probability (11.9th percentile)

Published: September 17, 2025

Last Updated: September 26, 2025

🔗 References

https://github.com/cisagov/thorium/commit/7c94a0b9bc2dc55e0c307360452f348bac06820c#diff-45e1e58dfb6faacf9efe778c31ead287d8e13ae07c5dad084c792bc4a0605a68R1007-R1008 Patch
https://github.com/cisagov/thorium/releases/tag/1.1.1 Release Notes
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-259-01.json Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2025-35431 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-35431, you might also want to check these: