CVE-2025-6391
📋 TL;DR
Brocade ASCG versions before 3.3.0 log JSON Web Tokens (JWT) in plain text within log files. Attackers with access to these logs can extract unencrypted tokens, potentially leading to unauthorized access, session hijacking, and information disclosure. Organizations using Brocade ASCG before version 3.3.0 are affected.
💻 Affected Systems
- Brocade Application Services Controller Gateway (ASCG)
📦 What is this software?
Ascg by Brocade
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via token reuse leading to administrative access, data exfiltration, and lateral movement across connected systems.
Likely Case
Session hijacking and unauthorized access to user accounts or administrative functions, potentially leading to data exposure.
If Mitigated
Limited impact if logs are properly secured with strict access controls and monitoring, though risk remains if tokens are captured.
🎯 Exploit Status
Exploitation requires access to log files, which may involve authentication or misconfigurations; token extraction is trivial once logs are accessed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.0
Vendor Advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35951
Restart Required: Yes
Instructions:
1. Review the vendor advisory for details. 2. Upgrade Brocade ASCG to version 3.3.0 or later. 3. Restart the system to apply changes. 4. Verify the fix by checking logs for JWT entries.
🔧 Temporary Workarounds
Restrict Log File Access
linuxApply strict file permissions to log directories to prevent unauthorized access.
chmod 600 /path/to/logs/*
chown root:root /path/to/logs/*
Disable JWT Logging
allModify logging configuration to exclude JWT tokens from logs if supported.
Edit configuration files to remove or mask JWT fields in logs.
🧯 If You Can't Patch
- Implement strict access controls on log files and directories to limit exposure.
- Monitor log access and implement alerting for unauthorized attempts to read logs.
🔍 How to Verify
Check if Vulnerable:
Check the ASCG version; if it is below 3.3.0, review log files for plain-text JWT entries using grep or log analysis tools.Check Version:
Use the ASCG administrative interface or CLI command specific to the appliance to check the current version.Verify Fix Applied:
After upgrading to 3.3.0, confirm that JWT tokens are no longer logged in plain text by checking recent log entries.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to log files, unusual log file reads, or JWT tokens appearing in log entries.
Network Indicators:
- Suspicious network traffic to log file paths or administrative interfaces.
SIEM Query:
source="ascg_logs" AND (event="JWT" OR token="eyJ")