CVE-2025-66028
📋 TL;DR
OneUptime versions before 8.0.5567 contain a privilege escalation vulnerability where attackers can manipulate the login response to gain admin dashboard access. By intercepting and changing the 'isMasterAdmin' parameter from false to true during authentication, attackers can bypass authorization controls. This affects all OneUptime deployments running vulnerable versions.
💻 Affected Systems
- OneUptime
📦 What is this software?
Oneuptime by Hackerbay
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative access to the monitoring platform, potentially compromising all monitored services, stealing sensitive data, and disrupting critical infrastructure monitoring.
Likely Case
Attackers gain access to admin dashboard interface but may be limited in actual data access due to additional permission checks, potentially allowing reconnaissance and limited unauthorized actions.
If Mitigated
With proper network segmentation and monitoring, unauthorized access attempts are detected and blocked before significant damage occurs.
🎯 Exploit Status
Exploitation requires valid user credentials and ability to intercept/modify HTTP responses. The vulnerability is simple to exploit with basic web proxy tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.0.5567
Vendor Advisory: https://github.com/OneUptime/oneuptime/security/advisories/GHSA-675q-66gf-gqg8
Restart Required: Yes
Instructions:
1. Backup your OneUptime instance. 2. Update to version 8.0.5567 or later using your deployment method (Docker, Kubernetes, etc.). 3. Restart the application. 4. Verify the fix by checking the version and testing login functionality.
🔧 Temporary Workarounds
Network Traffic Encryption Enforcement
allEnforce HTTPS/TLS for all OneUptime traffic to make interception more difficult
Configure web server to redirect HTTP to HTTPS
Set HSTS headers
Web Application Firewall Rules
allBlock or alert on HTTP response manipulation attempts
Configure WAF to detect response parameter tampering
🧯 If You Can't Patch
- Implement strict network segmentation to isolate OneUptime from untrusted networks
- Deploy additional authentication and authorization layers (2FA, IP whitelisting)
🔍 How to Verify
Check if Vulnerable:
Check if your OneUptime version is below 8.0.5567 by examining the application version in the admin interface or deployment configuration.Check Version:
Check OneUptime web interface or run: docker inspect oneuptime_app | grep VERSIONVerify Fix Applied:
After updating to 8.0.5567+, attempt to reproduce the vulnerability by intercepting login traffic and modifying the isMasterAdmin parameter - this should no longer grant unauthorized access.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful login with admin privileges
- Unusual user agent or IP addresses accessing admin endpoints
Network Indicators:
- HTTP response manipulation patterns in proxy logs
- Unencrypted authentication traffic
SIEM Query:
source="oneuptime" AND (event="login" AND isMasterAdmin="true") FROM users NOT IN admin_users