CVE-2025-58385
📋 TL;DR
This vulnerability in DOXENSE WATCHDOC allows attackers to obtain private user puk codes for Active Directory registered users due to hard-coded and predictable data. This affects all users of WATCHDOC versions before 6.1.0.5094 who have Active Directory integration enabled.
💻 Affected Systems
- DOXENSE WATCHDOC
📦 What is this software?
Watchdoc by Doxense
⚠️ Risk & Real-World Impact
Worst Case
Attackers could compromise all Active Directory integrated accounts, potentially leading to complete system takeover, data theft, and lateral movement within the network.
Likely Case
Attackers gain unauthorized access to user accounts, potentially accessing sensitive documents and systems integrated with WATCHDOC.
If Mitigated
With proper network segmentation and monitoring, impact is limited to the WATCHDOC system itself, though credential exposure remains a concern.
🎯 Exploit Status
Exploitation requires access to the system or network, but the vulnerability involves predictable/hard-coded data making exploitation straightforward once discovered.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.1.0.5094
Vendor Advisory: https://doc.doxense.com/Watchdoc/J_Securite/cve-2025-58385.htm
Restart Required: Yes
Instructions:
1. Download WATCHDOC version 6.1.0.5094 or later from https://update.doxense.com/ 2. Backup current configuration and data 3. Install the update following vendor instructions 4. Restart WATCHDOC services 5. Verify successful update
🔧 Temporary Workarounds
Disable Active Directory Integration
windowsTemporarily disable Active Directory integration to prevent exploitation while planning upgrade
Consult WATCHDOC administration guide for AD integration disable procedure
Network Segmentation
allIsolate WATCHDOC server from other critical systems to limit lateral movement potential
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the WATCHDOC server
- Enable detailed logging and monitoring for suspicious authentication attempts and implement alerting
🔍 How to Verify
Check if Vulnerable:
Check WATCHDOC version in administration interface. If version is below 6.1.0.5094 and Active Directory integration is enabled, the system is vulnerable.Check Version:
Check WATCHDOC web interface → Administration → System InformationVerify Fix Applied:
Verify version is 6.1.0.5094 or higher in administration interface and confirm Active Directory functionality works properly.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful logins from unusual locations
- Unusual patterns of document access or system configuration changes
Network Indicators:
- Unusual authentication traffic patterns to WATCHDOC server
- Connection attempts from unexpected IP addresses
SIEM Query:
source="WATCHDOC" AND (event_type="authentication" AND result="success") | stats count by user, src_ip | where count > threshold