CVE-2025-55462
📋 TL;DR
A CORS misconfiguration in Eramba Community and Enterprise Editions allows malicious websites to perform authenticated cross-origin requests against the Eramba API. This enables attackers to steal user session data and hijack sessions without user interaction. All users running Eramba v3.26.0 are affected.
💻 Affected Systems
- Eramba Community Edition
- Eramba Enterprise Edition
📦 What is this software?
Eramba by Eramba
Eramba by Eramba
⚠️ Risk & Real-World Impact
Worst Case
Full session hijack leading to complete compromise of Eramba accounts, data exfiltration of sensitive user information, and potential lateral movement within the system.
Likely Case
Attackers steal user session data (ID, name, email, access groups) and perform unauthorized actions using hijacked sessions.
If Mitigated
With proper network segmentation and access controls, impact is limited to specific user accounts rather than system-wide compromise.
🎯 Exploit Status
Exploitation requires user to visit malicious website while authenticated to Eramba. No authentication bypass needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.28.0
Vendor Advisory: https://discussions.eramba.org/t/release-3-28-0/7860
Restart Required: Yes
Instructions:
1. Backup current Eramba installation. 2. Download v3.28.0 from official source. 3. Follow Eramba upgrade documentation. 4. Restart web server services.
🔧 Temporary Workarounds
CORS Origin Restriction
allConfigure web server to restrict Access-Control-Allow-Origin to trusted domains only
# Apache: SetEnvIf Origin "(.*)" ORIGIN=$1
# Apache: Header set Access-Control-Allow-Origin "%{ORIGIN}e" env=ORIGIN_is_allowed
# Nginx: add_header 'Access-Control-Allow-Origin' 'https://trusted-domain.com';
Disable CORS Credentials
allRemove Access-Control-Allow-Credentials: true header from API responses
# Apache: Header unset Access-Control-Allow-Credentials
# Nginx: add_header 'Access-Control-Allow-Credentials' 'false';
🧯 If You Can't Patch
- Implement strict CORS policies at reverse proxy/load balancer level
- Restrict API access to internal networks only using firewall rules
🔍 How to Verify
Check if Vulnerable:
Send HTTP request to /system-api/login with Origin: https://evil.com header and check if Access-Control-Allow-Origin reflects evil.com with Access-Control-Allow-Credentials: trueCheck Version:
Check Eramba admin dashboard or config files for version numberVerify Fix Applied:
Repeat vulnerable check - Access-Control-Allow-Origin should not reflect arbitrary origins and Access-Control-Allow-Credentials should be false or absent📡 Detection & Monitoring
Log Indicators:
- Multiple failed CORS preflight requests
- API requests with suspicious Origin headers
- Unusual cross-origin API access patterns
Network Indicators:
- HTTP responses with Access-Control-Allow-Origin: * and Access-Control-Allow-Credentials: true
- Cross-origin requests to /system-api/* endpoints
SIEM Query:
http.response.headers:"Access-Control-Allow-Credentials: true" AND http.response.headers:"Access-Control-Allow-Origin: *"