Home

Description

Agiloft Release 28 contains several accounts with default credentials that could allow local privilege escalation. The password hash is known for at least one of the accounts and the credentials could be cracked offline. Users should upgrade to Agiloft Release 30.

PUBLISHED Reserved 2025-04-15 | Published 2025-08-26 | Updated 2025-08-29 | Assigner cisa-cg




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-1392 Use of Default Credentials

Product status

Default status
unknown

Any version before Release 30
affected

Release 30
unaffected

Credits

Matthew Galligan, CISA Rapid Action Force (RAF)

References

wiki.agiloft.com/display/HELP/What's+New:+CVE+Resolution (url)

raw.githubusercontent.com/...IT/white/2025/va-25-239-01.json (url)

www.cve.org/CVERecord?id=CVE-2025-35114 (url)

cve.org (CVE-2025-35114)

nvd.nist.gov (CVE-2025-35114)

Download JSON