CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-26512

CVSS 9.9v3.1pub. 2025-03-24upd. 2026-01-16

SnapCenter versions prior to 6.0.1P1 and 6.1P1 are susceptible to a vulnerability which may allow an authenticated SnapCenter Server user to become an admin user on a remote system where a SnapCenter plug-in has been installed.

🤖 AI Analysis
How it works

The vulnerability is related to improper handling of permissions (CWE-266), which allows an authenticated SnapCenter Server user to obtain unauthorized administrative privileges on remote hosts managed by SnapCenter plugins. The attacker does not need interaction from another user or particularly high initial privileges — simply having a regular account on SnapCenter Server is sufficient. The attack scope extends beyond the source component (S:C), meaning it is possible to impact systems external to the SnapCenter server itself.

Impact

An attacker can gain full administrative control over remote systems where SnapCenter plugins are installed, leading to complete compromise of confidentiality, integrity, and availability of these systems.

Mitigation & patch

NetApp SnapCenter should be updated to version 6.0.1P1 or 6.1P1 (depending on the branch in use). Detailed instructions are available in the official NetApp security bulletin at https://security.netapp.com/advisory/NTAP-20250324-0001.

Who is affected

NetApp SnapCenter in versions prior to 6.0.1P1 and 6.1P1.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Netapp Snapcenter

    APP
    Netapp
    6.0.16.1< 6.0.1
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2021-44228CRITICAL10.0⚠ KEVten sam produkt

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features u...

CVE-2023-1096CRITICAL9.8ten sam produkt

SnapCenter versions 4.7 prior to 4.7P2 and 4.8 prior to 4.8P1 are susceptible to a vulnerability which could a...

CVE-2022-33980CRITICAL9.8ten sam produkt

Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated ...

CVE-2022-2274CRITICAL9.8ten sam produkt

The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AV...

CVE-2021-3711CRITICAL9.8ten sam produkt

In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt()....