CVE-2025-68435
📋 TL;DR
Zerobyte backup automation tool versions before 0.18.5 and 0.19.0 have an authentication bypass vulnerability where certain API endpoints don't properly check session credentials. This allows unauthorized access to backup functionality for anyone who can reach the Zerobyte instance. Organizations with Zerobyte exposed beyond internal networks are most affected.
💻 Affected Systems
- Zerobyte
📦 What is this software?
Zerobyte by Nicotsx
Zerobyte by Nicotsx
⚠️ Risk & Real-World Impact
Worst Case
Unauthenticated attackers gain full administrative control over backup systems, potentially accessing, modifying, or deleting sensitive backup data and configurations.
Likely Case
Unauthorized users access backup data, view system configurations, or disrupt backup operations without authentication.
If Mitigated
Limited to internal network access only, reducing exposure to trusted users who already have some level of network access.
🎯 Exploit Status
Authentication bypass requires no credentials, making exploitation straightforward for anyone with network access to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.19.0 or 0.18.5
Vendor Advisory: https://github.com/nicotsx/zerobyte/security/advisories/GHSA-x539-c98q-38gv
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Stop Zerobyte service. 3. Upgrade to version 0.19.0 or 0.18.5 using package manager or manual installation. 4. Restart Zerobyte service. 5. Verify authentication is required for all API endpoints.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to Zerobyte instance using firewall rules to only allow trusted IP addresses or networks.
iptables -A INPUT -p tcp --dport [ZERO-BYTE-PORT] -s [TRUSTED-NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [ZERO-BYTE-PORT] -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Zerobyte instance from untrusted networks
- Deploy a reverse proxy with authentication in front of Zerobyte API endpoints
🔍 How to Verify
Check if Vulnerable:
Check Zerobyte version: if version is below 0.18.5 or 0.19.0, the system is vulnerable. Test API endpoints without authentication to confirm bypass.Check Version:
zerobyte --version or check package managerVerify Fix Applied:
After upgrade, attempt to access API endpoints without valid session credentials - all should return authentication errors.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful API access
- API requests from unexpected IP addresses without authentication logs
Network Indicators:
- Unauthenticated API requests to Zerobyte endpoints
- Traffic to backup-related endpoints from unauthorized sources
SIEM Query:
source="zerobyte.log" AND (event="api_request" AND NOT auth_success="true")