{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13480", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2025-11-20T14:44:26.478Z", "datePublished": "2026-04-20T09:00:16.259Z", "dateUpdated": "2026-04-20T09:00:16.259Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Fudo Enterprise", "vendor": "Fudo Security", "versions": [{"lessThanOrEqual": "5.6.2", "status": "affected", "version": "5.5.0", "versionType": "semver"}]}], "datePublic": "2026-04-20T15:11:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Fudo Enterprise in versions from 5.5.0 through 5.6.2 allows low privileged users to access certain administrator-only resources via improperly protected API endpoints. This includes sensitive information such as system logs and parts of system configuration settings.<br>This vulnerability has been fixed in version 5.6.3"}], "value": "Fudo Enterprise in versions from 5.5.0 through 5.6.2 allows low privileged users to access certain administrator-only resources via improperly protected API endpoints. This includes sensitive information such as system logs and parts of system configuration settings.\nThis vulnerability has been fixed in version 5.6.3"}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "baseScore": 5.1, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-04-20T09:00:16.259Z"}, "references": [{"tags": ["product"], "url": "https://www.fudosecurity.com/product/enterprise"}, {"tags": ["third-party-advisory"], "url": "https://cert.pl/en/posts/2026/04/CVE-2025-13480"}, {"tags": ["release-notes"], "url": "https://download.fudosecurity.com/documentation/fudo/5_6/rn/RN_5.6.3.pdf"}], "source": {"discovery": "INTERNAL"}, "title": "Incorrect authorization in Fudo Enterprise", "x_generator": {"engine": "Vulnogram 0.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Fudo Enterprise in versions from 5.5.0 through 5.6.2 allows low privileged users to access certain administrator-only resources via improperly protected API endpoints. This includes sensitive information such as system logs and parts of system configuration settings.\nThis vulnerability has been fixed in version 5.6.3"}], "id": "CVE-2025-13480", "lastModified": "2026-04-20T10:16:16.060", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cvd@cert.pl", "type": "Secondary"}]}, "published": "2026-04-20T10:16:16.060", "references": [{"source": "cvd@cert.pl", "url": "https://cert.pl/en/posts/2026/04/CVE-2025-13480"}, {"source": "cvd@cert.pl", "url": "https://download.fudosecurity.com/documentation/fudo/5_6/rn/RN_5.6.3.pdf"}, {"source": "cvd@cert.pl", "url": "https://www.fudosecurity.com/product/enterprise"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "cvd@cert.pl", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T10:20:45.608054+00:00", "value": {"mitigation_remediation": ["Upgrade to Fudo Enterprise version 5.6.3 or later to receive the official fix.", "Enforce strict role\u2011based access controls on API endpoints so only administrators can access logs and configuration data.", "Monitor API usage for abnormal access patterns to detect and respond to potential misuse of privileges."], "summary": {"action": "Upgrade", "impact": "Unauthorized access to sensitive data"}, "threat_synthesis": {"affected_systems": "All installations of Fudo Security Fudo Enterprise running versions 5.5.0 through 5.6.2 are affected. The issue has been fixed in version 5.6.3 and later.", "description_and_impact": "Fudo Enterprise API endpoints fail to enforce proper authorization, allowing users with limited privileges to retrieve administrative data such as system logs and configuration settings. This flaw provides direct access to sensitive information, compromising confidentiality and potentially exposing operational secrets.", "risk_and_exploitability": "The vulnerability has a CVSS score of 5.1, indicating moderate severity. It is not listed in the CISA KEV catalog and no EPSS score is available. Exploitation requires an existing user account with non-administrative privileges, so attacks are typically internal or on trusted networks where such accounts exist. The attacker can read logs and configuration settings, but the impact is limited to data disclosure rather than system compromise."}}}}, "created": "2026-04-20T10:30:04.395719+00:00", "updated": "2026-04-20T10:30:04.395737+00:00", "vendors": []}