CVE-2025-68435

Critical

Published: 17 December 2025

Published

17 December 2025

Modified

05 March 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0012 30.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Zerobyte is a backup automation tool Zerobyte versions prior to 0.18.5 and 0.19.0 contain an authentication bypass vulnerability where authentication middleware is not properly applied to API endpoints. This results in certain API endpoints being accessible without valid session credentials.…

This is dangerous for those who have exposed Zerobyte to be used outside of their internal network. A fix has been applied in both version 0.19.0 and 0.18.5. If immediate upgrade is not possible, restrict network access to the Zerobyte instance to trusted networks only using firewall rules or network segmentation. This is only a temporary mitigation; upgrading is strongly recommended.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources, directly addressing the failure of authentication middleware to protect API endpoints.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Limits and explicitly authorizes only defined actions without identification or authentication, preventing unauthorized access to sensitive API endpoints.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and remediation of flaws like this authentication bypass through software upgrades to fixed versions.

Security SummaryAI

CVE-2025-68435 is an authentication bypass vulnerability affecting Zerobyte, an open-source backup automation tool. Versions prior to 0.18.5 and 0.19.0 fail to properly apply authentication middleware to certain API endpoints, allowing unauthorized access without valid session credentials. The issue, mapped to CWE-305 (Authentication Bypass by Primary Weakness), carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high impacts on confidentiality and integrity.

Remote attackers with network access to a Zerobyte instance can exploit this vulnerability without privileges, user interaction, or special conditions. By directly targeting unprotected API endpoints, they can achieve high-level unauthorized access, potentially reading sensitive backup data or modifying configurations and operations, especially in deployments exposed beyond internal networks.

The Zerobyte security advisory (GHSA-x539-c98q-38gv) and related GitHub issue (#161) detail patches in versions 0.18.5 and 0.19.0 via commit 13e080a18967705bd2b4e110e5f7693fdca1c692. Immediate upgrades are recommended; as a temporary measure, administrators should restrict network access to trusted networks using firewall rules or segmentation.

Details

CWE(s): CWE-305

Affected Products

nicotsx

zerobyte

0.19.0 · ≤ 0.18.5

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an authentication bypass in a network-accessible API of a backup tool, directly enabling exploitation of a public-facing application for unauthorized access to sensitive data and configurations.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/nicotsx/zerobyte/commit/13e080a18967705bd2b4e110e5f7693fdca1c692
Patch · security-advisories@github.com
https://github.com/nicotsx/zerobyte/issues/161
Issue Tracking · security-advisories@github.com
https://github.com/nicotsx/zerobyte/security/advisories/GHSA-x539-c98q-38gv
Mitigation, Patch, Vendor Advisory · security-advisories@github.com