CVE-2025-25497

CVE-2025-25497 is a vulnerability in the account management interface of Netsweeper Server versions 8.2.6 and earlier. It stems from client-side-only restrictions and a lack of server-side validation, allowing unauthorized modifications to the "Account Owner" field. This flaw enables attackers to reassign account ownership to or away from any user. The issue has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-602 (Client-Side Enforcement of Server-Side Security).

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to alter account ownership arbitrarily, potentially granting unauthorized control over other users' accounts and leading to high impacts on confidentiality and integrity, such as data access or privilege escalation within the Netsweeper environment.

Netsweeper addressed the vulnerability in version 8.2.7, as detailed in their release notes. Security practitioners should update affected Netsweeper Server installations to v8.2.7 or later to mitigate the issue, with further details available in the vendor's documentation and related advisories like those on PacketStorm.