CVE-2025-22272

Vulnerability

Overview

The endpoint /EPMUI/ModalDlgHandler.ashx?value=showReadonlyDlg in CyberArk Endpoint Privilege Manager (EPM) SaaS version 24.7.1 is vulnerable to reflected cross-site scripting (XSS) due to improper neutralization of user input in the modalDlgMsgInternal POST parameter [1][2]. The injected script is executed in the user's browser when the endpoint is accessed.

Exploitation

Details

An attacker can send a crafted POST request to the vulnerable endpoint with malicious JavaScript code in the modalDlgMsgInternal parameter. However, the exploitation is complicated because the application implements a Content-Security-Policy (CSP) that must be bypassed to achieve code execution [1]. The attack requires the victim to visit a malicious link or submit a form, as the vulnerability is reflected and not stored [2]. No authentication is explicitly required to trigger the endpoint, but the CSP reduces the severity to Low.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This could lead to session hijacking, data exfiltration, or further attacks within the application [1]. The limited scope due to CSP makes it less likely to be exploited in practice.

Mitigation

Status

The vulnerability affects CyberArk EPM SaaS version 24.7.1. The vendor was contacted multiple times without response, so no official patch or workaround has been confirmed [1][2]. Users are advised to monitor for updates from CyberArk and consider implementing additional web application firewall rules or strict CSP headers to mitigate risk.