CVE-2025-3837

Vulnerability

Analysis

An improper input validation vulnerability exists in the End of Life (EOL) OVA based connect component used for initial installation within a customer's internal network [1]. This component was deprecated in September 2023, with end of support extended until January 2024 [1]. The root cause is a failure to properly sanitize or validate a specific request parameter, enabling an attacker to inject arbitrary code [1].

Exploitation

An actor can manipulate a particular request parameter and inject a code execution payload [1]. The attack is network-based, requiring access to the infrastructure hosting this EOL component, which is deployed inside the customer's internal network [1]. No authentication or other special privileges are mentioned as prerequisites for exploitation [1].

Impact

Successful exploitation leads to remote code execution on the infrastructure hosting the vulnerable component [1]. This can allow an attacker to gain full control over the affected system, potentially moving laterally within the customer network or compromising sensitive data [1].

Mitigation

The component is End of Life (EOL) and no longer supported since January 2024 [1]. Saviynt has not released a patch, as the software is deprecated [1]. Any customers still using this OVA component should immediately remove it and follow current installation procedures to mitigate risk.