CVE-2025-35115 | THREATINT

Description

Agiloft Release 28 downloads critical system packages over an insecure HTTP connection. An attacker in a Man-In-the-Middle position could replace or modify the contents of the download URL. Users should upgrade to Agiloft Release 30.

PUBLISHED Reserved 2025-04-15 | Published 2025-08-26 | Updated 2025-08-29 | Assigner cisa-cg

CRITICAL: 9.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-494 Download of Code Without Integrity Check

Product status

Default status

unknown

Any version before Release 30

affected

Release 30

unaffected

Credits

Matthew Galligan, CISA Rapid Action Force (RAF)

References

wiki.agiloft.com/display/HELP/What's+New:+CVE+Resolution (url)

raw.githubusercontent.com/...IT/white/2025/va-25-239-01.json (url)

www.cve.org/CVERecord?id=CVE-2025-35115 (url)

cve.org (CVE-2025-35115)

nvd.nist.gov (CVE-2025-35115)

Download JSON