CVE-2025-48707
📋 TL;DR
A vulnerability in Stormshield Network Security (SNS) firewalls allows TPM authentication information to be shared among administrators in certain high-availability configurations. This can lead to unauthorized administrators gaining access to sensitive secrets. Organizations using SNS firewalls in HA setups before version 5.0.1 are affected.
💻 Affected Systems
- Stormshield Network Security (SNS)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized administrators could gain access to TPM-protected secrets, potentially compromising the entire firewall infrastructure and allowing lateral movement into protected networks.
Likely Case
Administrators with legitimate access to one HA node could inadvertently gain access to TPM secrets on other nodes, violating security boundaries and potentially exposing sensitive authentication data.
If Mitigated
With proper access controls and monitoring, the impact is limited to potential information disclosure between authorized administrators rather than external attackers.
🎯 Exploit Status
Exploitation requires administrative access to the SNS firewall and specific HA configuration conditions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.1
Vendor Advisory: https://advisories.stormshield.eu/2025-003/
Restart Required: Yes
Instructions:
1. Download SNS version 5.0.1 from Stormshield portal. 2. Backup current configuration. 3. Apply update through web interface or CLI. 4. Reboot firewall after installation completes.
🔧 Temporary Workarounds
Disable HA TPM Authentication
allTemporarily disable TPM-based authentication in HA configurations until patching can be completed.
# Requires CLI access to SNS firewall
configure
set high-availability tpm-authentication disabled
commit
Isolate HA Management Networks
allEnsure HA management interfaces are on isolated, restricted networks separate from regular administrative access.
🧯 If You Can't Patch
- Implement strict administrative access controls and monitoring for all HA cluster members.
- Consider temporarily disabling HA functionality if business continuity allows.
🔍 How to Verify
Check if Vulnerable:
Check SNS version via web interface (System > Information) or CLI command 'show version'. If version is below 5.0.1 and HA with TPM is configured, system is vulnerable.Check Version:
show versionVerify Fix Applied:
After patching, verify version shows 5.0.1 or higher and test HA failover to ensure TPM authentication functions correctly without secret sharing.📡 Detection & Monitoring
Log Indicators:
- Unusual administrative access patterns between HA nodes
- TPM authentication failures or anomalies in HA synchronization logs
Network Indicators:
- Unexpected administrative traffic between HA cluster members outside normal synchronization patterns
SIEM Query:
source="sns-firewall" AND (event_type="admin_access" OR event_type="ha_sync") AND (src_ip=ha_node_ip OR dest_ip=ha_node_ip)