Securden Unified PAM Vulnerability Allows Attackers to Bypass Authentication

Cybersecurity researchers have identified a critical security flaw in Securden Unified PAM, allowing attackers to bypass authentication mechanisms and gain unauthorised access to sensitive credentials and system functions. This vulnerability, designated as CVE-2025-53118 and assigned a CVSS score of 9.4, is one of four significant security issues discovered within the privileged access management solution that could lead to complete system compromise. The authentication bypass exploits a fundamental flaw in Securden Unified PAM’s session management. Attackers can navigate to the /thirdparty-access endpoint to automatically receive a SecurdenSession cookie, which can then be used to obtain CSRF tokens and SecurdenPost cookies via the /get_csrf_token URL. This cookie-based authentication mechanism inadequately validates user authorisation, only checking for the presence of session tokens. The discovery arose during continuous red teaming exercises conducted through Rapid7’s Vector Command service, where analysts recognised the severe implications for organisations relying on the PAM solution for credential management and access control.

In addition to the primary authentication bypass, researchers uncovered three additional vulnerabilities that exacerbate the security risk. These include an unauthenticated unrestricted file upload flaw (CVE-2025-53119), a path traversal vulnerability in file upload functionality (CVE-2025-53120), and a shared SSH key infrastructure issue (CVE-2025-6737) affecting Securden’s cloud gateway services. The authentication bypass vulnerability showcases sophisticated attack vectors through its exploitation of backup functionality. Once attackers obtain the necessary session tokens, they can access the /configure_schedule endpoint to trigger encrypted password backups with administrator privileges. This attack leverages the SCHEDULE_ENCRYPTED_HTML_BACKUP type to extract complete credential databases, requiring only the existence of a superadmin account within the system. Technical analysis indicates that successful exploitation necessitates removing the X-Requested-With header during authentication bypass requests, as the server returns errors when this header is present. Attackers can specify custom backup locations, including external SMB shares or the application’s static webroot folder, enabling direct downloads of encrypted credential files. The predictable patterns of backup filenames based on timestamps make them susceptible to brute-force discovery attacks. The impact of this vulnerability extends beyond simple credential theft, as it can lead to complete remote code execution when combined with the file upload vulnerabilities by overwriting system files like Postgr. 

Categories: Cybersecurity Vulnerabilities, Authentication Bypass, Privileged Access Management 

Tags: Securden, PAM, Authentication Bypass, CVE-2025-53118, CVSS Score, Session Management, Credential Management, File Upload Vulnerability, Remote Code Execution, Security Assessment