CVE-2025-47244
📋 TL;DR
This vulnerability in Inedo ProGet allows remote attackers to access restricted functionality through the C# reflection layer, potentially causing denial of service or information disclosure. It affects ProGet installations through version 2024.22, particularly when anonymous access is enabled or when CSRF attacks succeed.
💻 Affected Systems
- Inedo ProGet
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system disruption through denial of service (restart loops) and exposure of sensitive configuration data or credentials.
Likely Case
Service disruption through targeted restart attacks and potential information leakage about system configuration.
If Mitigated
Limited impact if anonymous access is disabled and CSRF protections are properly implemented.
🎯 Exploit Status
Demonstrated exploitation available in disclosure; anonymous access enables unauthenticated attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.23 or later
Vendor Advisory: https://docs.inedo.com/docs/proget/installation/installation-guide
Restart Required: Yes
Instructions:
1. Download latest ProGet installer from my.inedo.com. 2. Run installer to upgrade. 3. Restart ProGet service.
🔧 Temporary Workarounds
Disable Anonymous Access
allPrevents unauthenticated exploitation by requiring authentication for all access.
Navigate to ProGet Admin > Security > Anonymous Access > Disable
Implement CSRF Protections
allAdd anti-CSRF tokens to prevent cross-site request forgery attacks.
Configure web.config or application settings with CSRF protection
🧯 If You Can't Patch
- Disable anonymous access immediately
- Implement network segmentation to restrict access to ProGet instances
- Monitor for unusual restart patterns or reflection API calls
🔍 How to Verify
Check if Vulnerable:
Check ProGet version in Admin > About; if version is 2024.22 or earlier, system is vulnerable.Check Version:
Check web interface at /about or examine installation directory version filesVerify Fix Applied:
Verify version is 2024.23 or later in Admin > About after patching.📡 Detection & Monitoring
Log Indicators:
- Unusual frequency of RestartWeb calls
- Reflection API access from unexpected sources
- Anonymous user accessing restricted endpoints
Network Indicators:
- HTTP requests to reflection endpoints from unauthenticated sources
- CSRF-style request patterns
SIEM Query:
source="proget" AND (event="RestartWeb" OR event="ReflectionAccess") AND user="anonymous"