CVE-2025-59714 – This vulnerability allows group administrators ... (How to Fix)

Q: What is the severity of CVE-2025-59714?

CVE-2025-59714 has a CVSS score of 6.5 (MEDIUM). This vulnerability allows group administrators who are not Grouper system administrators to configure loader jobs in Internet2 Grouper. This improper access control could enable unauthorized configuration changes to data loading processes. Organizations running affected versions of Grouper with non-system admin group administrators are impacted.

📋 TL;DR

This vulnerability allows group administrators who are not Grouper system administrators to configure loader jobs in Internet2 Grouper. This improper access control could enable unauthorized configuration changes to data loading processes. Organizations running affected versions of Grouper with non-system admin group administrators are impacted.

💻 Affected Systems

Products:

Internet2 Grouper

Versions: 5.17.1 through 5.20.4

Operating Systems: All platforms running Grouper

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments where group administrators exist who are not also Grouper system administrators.

📦 What is this software?

Grouper by Internet2

View all CVEs affecting Grouper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with group admin privileges could configure malicious loader jobs to execute arbitrary code, modify sensitive data, or disrupt Grouper operations, potentially leading to data corruption or unauthorized access.

🟠

Likely Case

Group admins could unintentionally or intentionally misconfigure loader jobs, causing data integrity issues, failed synchronization, or operational disruptions in group management systems.

🟢

If Mitigated

With proper role separation and monitoring, the impact is limited to configuration errors that can be detected and corrected before causing significant harm.

🌐 Internet-Facing: LOW - Grouper is typically deployed internally for identity and access management, not directly internet-facing.

🏢 Internal Only: MEDIUM - Internal group administrators could exploit this, but requires existing administrative privileges within the system.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires existing group administrator privileges and knowledge of Grouper loader job configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.20.5

Vendor Advisory: https://spaces.at.internet2.edu/display/Grouper/Grouper+bug+-+GRP-6311+-+non-Grouper-admins+can+configure+loader+jobs

Restart Required: No

Instructions:

1. Download Grouper version 5.20.5 or later. 2. Follow standard Grouper upgrade procedures. 3. Verify that only Grouper system administrators can configure loader jobs post-upgrade.

🔧 Temporary Workarounds

Restrict loader job configuration

all

Manually modify Grouper permissions to ensure only Grouper system administrators have access to configure loader jobs.

gsh -run -privileged -command "grantPriv('loaderJobConfig', 'GrouperSystem', 'grouperSysadminRole')"
gsh -run -privileged -command "revokePriv('loaderJobConfig', 'GrouperSystem', 'grouperGroupAdminRole')"

🧯 If You Can't Patch

Review and audit all group administrator accounts to ensure they have appropriate privileges
Implement monitoring and alerting for loader job configuration changes

🔍 How to Verify

Check if Vulnerable:

Check Grouper version using the Grouper Shell (gsh) command: gsh -version. If version is between 5.17.1 and 5.20.4 inclusive, the system is vulnerable.

Check Version:

gsh -version

Verify Fix Applied:

After upgrading to 5.20.5 or later, attempt to configure a loader job as a non-system admin group administrator. This should fail with permission denied.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to configure loader jobs
Loader job configuration changes by non-system administrators
Permission denied errors in Grouper logs for loader job operations

Network Indicators:

Unusual patterns of administrative API calls to Grouper loader endpoints

SIEM Query:

source="grouper.log" AND ("loaderJobConfig" OR "configure loader") AND NOT user="grouperSysadmin"

📊 Metadata

CVE ID: CVE-2025-59714

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-863

EPSS Score: 0.05% exploit probability (15.4th percentile)

Published: September 19, 2025

Last Updated: October 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59714, you might also want to check these: