CVE-2025-62189
📋 TL;DR
LogStare Collector has an incorrect authorization vulnerability in UserRegistration that allows non-administrative users to create new accounts via crafted HTTP requests. This affects all LogStare Collector deployments with the vulnerable component enabled. Attackers could create unauthorized accounts to gain persistent access.
💻 Affected Systems
- LogStare Collector
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers create administrative accounts, gain full system control, and establish persistent backdoors for data exfiltration or further attacks.
Likely Case
Attackers create standard user accounts to maintain persistent access, escalate privileges over time, and potentially access sensitive log data.
If Mitigated
With proper network segmentation and monitoring, unauthorized account creation is detected and blocked before significant damage occurs.
🎯 Exploit Status
Requires authenticated non-admin access. Simple HTTP request manipulation needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.1
Vendor Advisory: https://www.logstare.com/vulnerability/2025-001/
Restart Required: Yes
Instructions:
1. Download LogStare Collector 3.2.1 from official vendor site. 2. Stop LogStare Collector service. 3. Backup configuration files. 4. Install/upgrade to version 3.2.1. 5. Restart LogStare Collector service. 6. Verify successful upgrade.
🔧 Temporary Workarounds
Disable UserRegistration
allTemporarily disable the vulnerable UserRegistration functionality
Edit configuration file: set 'user_registration.enabled = false'
Restart LogStare Collector service
Network Access Control
allRestrict access to UserRegistration endpoints
Add firewall rule: deny access to /api/user/register endpoint
Configure web application firewall to block registration requests from non-admin users
🧯 If You Can't Patch
- Implement strict network segmentation to isolate LogStare Collector from untrusted networks
- Enable detailed audit logging for all user creation events and monitor for unauthorized account creation
🔍 How to Verify
Check if Vulnerable:
Check LogStare Collector version: if version < 3.2.1 and UserRegistration is enabled, system is vulnerable.Check Version:
logstare-collector --versionVerify Fix Applied:
Verify version is 3.2.1 or higher and test that non-admin users cannot create new accounts via UserRegistration API.📡 Detection & Monitoring
Log Indicators:
- Unusual user creation events from non-admin accounts
- Multiple failed registration attempts followed by successful creation
- User creation from unexpected IP addresses
Network Indicators:
- HTTP POST requests to /api/user/register from non-admin authenticated sessions
- Unusual patterns in authentication logs
SIEM Query:
source="logstare" AND (event_type="user_creation" AND user_role!="admin")