CRITICAL🇵🇱 Wersja polska

CVE-2025-32440

CVSS 10.0v3.1pub. 2025-05-27upd. 2025-07-11

NetAlertX is a network, presence scanner and alert framework. Prior to version 25.4.14, it is possible to bypass the authentication mechanism of NetAlertX to update settings without authentication. An attacker can trigger sensitive functions within util.php by sending crafted requests to /index.php. This issue has been patched in version 25.4.14.

🤖 AI Analysis
How it works

The vulnerability results from the lack of authentication requirement (CWE-306) for sensitive functions handled by the util.php file. An attacker can send a specially crafted HTTP request to the /index.php endpoint, which allows triggering these functions while bypassing any identity verification. As a result, unauthorized modification of application configuration is possible without possessing any credentials.

Impact

An attacker without any privileges and from any network location can modify NetAlertX settings, which may lead to complete takeover of the application, loss of data confidentiality and integrity, and disruption of the network monitoring system's availability.

Mitigation & patch

NetAlertX must be immediately updated to version 25.4.14 or later, in which the issue has been fixed. The patch is available in the project repository on GitHub at the address indicated in the references.

Who is affected

NetAlertX in all versions prior to 25.4.14

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Netalertx

    APP
    Netalertx
    < 25.4.14
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-48952CRITICAL9.4PL ✓ten sam produkt

NetAlertX: Pominięcie uwierzytelnienia przez PHP magic hash (SHA-256)

CVE-2024-46506CRITICAL10.0PL ✓ten sam produkt

NetAlertX — nieuwierzytelniony command injection via savesettings (RCE)

CVE-2024-48766HIGH8.6ten sam produkt

NetAlertX 24.7.18 before 24.10.12 allows unauthenticated file reading because an HTTP client can ignore a redi...