Associated Vulnerability
Description
CVE-2025-41090 (brokeCLAUDIA): Broken access control in microCLAUDIA, the anti-ransomware platform by CCN-CERT.
Readme
# ***🔓 brokeCLAUDIA - CVE-2025-41090***
<p align="center">
<img src="Images/brokeclaudia.png" />
<i>CVE-2025-41090 - Broken access control vulnerability in microCLAUDIA</i>
</p>
---
---
---
## ***📑 Table of Contents***
<ul>
<li><a href="#microclaudia">What is microCLAUDIA?</a></li>
<li><a href="#vulnerability">Vulnerability (CVE-2025-41090)</a></li>
<details>
<summary>📂</summary>
<ul>
<li><a href="#vulnerability-disclosure">Public Disclosure</a></li>
<li><a href="#vulnerability-cwe">CWE</a></li>
<li><a href="#vulnerability-brokenaccesscontrol">Broken Access Control</a></li>
<li><a href="#vulnerability-remediation">Remediation</a></li>
<li><a href="#vulnerability-presentation">Presentation</a></li>
</ul>
</details>
<li><a href="#exploit">Exploit</a></li>
<details>
<summary>📂</summary>
<ul>
<li><a href="#exploit-overview">Overview</a></li>
<li><a href="#exploit-requirements">Requirements</a></li>
<li><a href="#exploit-installation">Installation</a></li>
<li><a href="#exploit-usage">Usage</a></li>
</ul>
</details>
<li><a href="#notes">Notes</a></li>
<li><a href="#references">References</a></li>
</ul>
---
---
---
<div id='microclaudia'/>
## ***🧠 What is microCLAUDIA***
[microCLAUDIA](https://www.ccn-cert.cni.es/en/tools/microclaudia-en.html) is a [CLAUDIA](https://www.ccn-cert.cni.es/en/tools/claudia-en.html) engine based capability that provides protection against harmful ransomware code to an organization's equipment. It does this by using a lightweight agent for Windows systems that handles vaccine deployment and execution.
The connection of the agent to the [microCLAUDIA central service](https://microclaudia.ccn-cert.cni.es/), located in the CCN-CERT cloud, enables the download and execution of the vaccines that the organism has configured for its computers. Once downloaded, the agent does not require connectivity to the cloud for its execution or a central service or server installed in the organism. Likewise, the service offers automatic updating of these vaccines to cover adaptations to new ways of running ransomware.
On the other hand, the CCN-CERT administers the central service in its cloud and is responsible for the generation of new vaccines, allowing the agency to access this service and, in this way, review the general state of vaccination of its equipment and even configure its application.
microCLAUDIA can be [deployed](https://github.com/TheMalwareGuardian/brokeCLAUDIA/blob/main/Manuals/microclaudia%20-%20manual%20de%20usuario.pdf) from any software distribution management tool or through Windows policies. In addition, it does not need additional modifications in the organism's network.
<p align="center">
<img width="420px" src="Images/infografia-microclaudia.png" />
</p>
---
---
---
<div id='vulnerability'/>
## ***🐞 Vulnerability (CVE-2025-41090)***
<div id='vulnerability-disclosure'/>
### ***📬 Public Disclosure***
<p align="center">
<img src="Images/CVE_Record.png" />
<i><a href="https://www.cve.org/CVERecord?id=CVE-2025-41090">https://www.cve.org/CVERecord?id=CVE-2025-41090</a></i>
</p>
---
<p align="center">
<img src="Images/INCIBE_CVE_Notice.png" />
<i><a href="https://www.incibe.es/en/incibe-cert/notices/aviso/improper-access-control-ccn-cert-microclaudia">https://www.incibe.es/en/incibe-cert/notices/aviso/improper-access-control-ccn-cert-microclaudia</a></i>
</p>
<div id='vulnerability-cwe'/>
### ***🧩 CWE***
<p align="center">
<img src="Images/CWE_306.png" />
<i><a href="https://cwe.mitre.org/data/definitions/306.html">https://cwe.mitre.org/data/definitions/306.html</a></i>
</p>
<div id='vulnerability-brokenaccesscontrol'/>
### ***🚫 Broken Access Control***
[Broken access control](https://owasp.org/www-community/Broken_Access_Control ) vulnerabilities exist when a user can access resources or perform actions that they are not supposed to be able to.
In version 3.2.0 and earlier versions of microCLAUDIA, there is a broken access control vulnerability (brokeCLAUDIA) that allows an attacker who has previously gained access to an account to access or modify data from other organizations not associated with the user.
In other words, the attacker could manipulate information from organizations that are not directly related to the compromised account.
To successfully exploit this vulnerability, it's crucial to grasp the following key aspects:
- The attacker needs to obtain the identifiers associated with those organizations to perform the unauthorized actions.
- The vulnerability exists only when making requests through the API, not through the web interface.
- The identifiers used in web requests are transmitted in the URL, which poses a risk if an attacker gains access to the identifiers by dumping the history of a compromised machine.
- The manager role grants the ability to modify data (activate/deactivate vaccines, install/uninstall agents, etc.).
<div id='vulnerability-remediation'/>
### ***🛠️ Remediation***
In order to remediate the broken access control vulnerability identified in microCLAUDIA, it is essential to implement several key measures. First and foremost, it is imperative to enhance API controls to prevent unauthorized access to information. Implement checks to ensure that direct access to data is restricted, and enforce verification processes to confirm the association of the user with the organization before granting access.
Moreover, it is crucial to address the specific security concern related to the transmission of identifiers in GET requests. This entails ensuring that identifiers vital for the main functionality are not transmitted in a manner that exposes them. Adopting secure methods of transmission is highly recommended to fortify this aspect of microCLAUDIA's security architecture.
By diligently implementing these measures, the identified broken access control vulnerability in microCLAUDIA can be effectively mitigated. The combination of enhanced API controls and secure data transmission practices forms a robust defense, significantly reducing the risk of unauthorized access and manipulation of sensitive information.
<div id='vulnerability-presentation'/>
### ***🖥️ Presentation***
You can find the original presentation materials below:
- [PowerPoint](https://github.com/TheMalwareGuardian/brokeCLAUDIA/blob/main/Presentation/CVE_brokeCLAUDIA_Presentation.pptx)
- [PDF](https://github.com/TheMalwareGuardian/brokeCLAUDIA/blob/main/Presentation/CVE_brokeCLAUDIA_Presentation.pdf)
<p align="center">
<img width="600px" src="Images/presentation.png" />
</p>
---
---
---
<div id='exploit'/>
## ***💥 Exploit***
<div id='exploit-overview'/>
### ***🧾 Overview***
A python script specifically developed to detect the presence of a broken access control vulnerability in microCLAUDIA.
<div id='exploit-requirements'/>
### ***📦 Requirements***
- [microCLAUDIA account (email and password)](https://microclaudia.ccn-cert.cni.es/)
- [Python3](https://www.python.org/)
<div id='exploit-installation'/>
### ***🧰 Installation***
```
git clone https://github.com/TheMalwareGuardian/brokeCLAUDIA
cd brokeCLAUDIA
python -m venv venv
pip3 install -r requirements.txt
source venv/bin/activate or venv\Scripts\activate
```
<div id='exploit-usage'/>
### ***▶️ Usage***
```
python main.py
```
Watch the tool in action here: [📺 View Demo](https://github.com/TheMalwareGuardian/brokeCLAUDIA/blob/main/Videos/Tool.mp4)
<p align="center">
<img src="Images/options.png" />
</p>
---
---
---
<div id='notes'/>
## ***🗒️ Notes***
* *It's important to note that the first identification of this flaw, or at least when the repository was created, dates back to version 2.16.3.*
* *The initial report concerning the existence of this vulnerability was sent to the National Cryptologic Center's (CCN) incident account, incidentes@ccn-cert.cni.es, on Monday, March 11th, 2024 at 5:54 PM.*
* *The tool/script was last used in March 2024 to verify the presence of the vulnerability, specifically on microCLAUDIA version 3.2.0.*
* *microCLAUDIA version 3.2.2 includes a fix for the vulnerability.*
* *As of version 3.6.1, the vulnerability remains fully patched. A prudent amount of time has passed since responsible disclosure, and no further exposure has been observed. Therefore, this information can now be published safely.*
---
---
---
<div id='references'/>
## ***🔗 References***
- [CVE-2025-41090](https://www.cve.org/CVERecord?id=CVE-2025-41090)
- [INCIBE: Improper Access control in CCN-CERT microCLAUDIA](https://www.incibe.es/en/incibe-cert/notices/aviso/improper-access-control-ccn-cert-microclaudia)
- [CWE-306: Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html)
- [Web CCN-Cert/CNI: microCLAUDIA Anti-Ransomware](https://www.ccn-cert.cni.es/en/tools/microclaudia-en.html)
- [Web OWASP: Broken Access Control](https://owasp.org/www-community/Broken_Access_Control )
- [Web OWASP Top10: A01 - Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)
- [Web PortSwigger: Access control vulnerabilities and privilege escalation](https://portswigger.net/web-security/access-control)
- [Web EC-Council: What Is Broken Access Control Vulnerability?](https://www.eccouncil.org/cybersecurity-exchange/web-application-hacking/broken-access-control-vulnerability/)
File Snapshot
[4.0K] /data/pocs/f06a51f1388fe21c33011fe303fc7a486c3a8d81
├── [4.0K] brokeClaudia
│ ├── [4.0K] core
│ │ ├── [4.0K] common
│ │ │ ├── [ 0] __init__.py
│ │ │ └── [4.0K] static
│ │ │ ├── [ 133] constants.py
│ │ │ ├── [ 32K] functions.json
│ │ │ └── [ 0] __init__.py
│ │ ├── [ 0] __init__.py
│ │ └── [4.0K] modules
│ │ ├── [4.0K] artascii
│ │ │ ├── [1.8K] artascii_draw.py
│ │ │ └── [ 0] __init__.py
│ │ ├── [4.0K] historybrowser
│ │ │ ├── [5.2K] historybrowser_obtain.py
│ │ │ └── [ 0] __init__.py
│ │ ├── [ 0] __init__.py
│ │ └── [4.0K] microclaudia
│ │ ├── [ 0] __init__.py
│ │ ├── [6.2K] microclaudia_pocs.py
│ │ ├── [4.2K] microclaudia_signin.py
│ │ ├── [3.6K] microclaudia_tokens.py
│ │ └── [4.0K] static
│ │ ├── [ 10K] endpoints.json
│ │ └── [ 0] __init__.py
│ ├── [2.1K] main.py
│ ├── [4.0K] output
│ │ ├── [6.4K] microclaudia_patched_3.2.2_14032024_NOTVULNERABLE.txt
│ │ ├── [6.0K] microclaudia_vulnerable_2.16.3_17112023_VULNERABLE.txt
│ │ └── [ 476] README.md
│ └── [ 69] requirements.txt
├── [4.0K] CVE Request
│ └── [3.4K] README.md
├── [4.0K] CVSS
│ └── [7.6K] README.md
├── [4.0K] Images
│ ├── [1.5M] brokeclaudia.png
│ ├── [100K] CVE_Record.png
│ ├── [336K] CWE_306.png
│ ├── [227K] INCIBE_CVE_Notice.png
│ ├── [323K] infografia-microclaudia.png
│ ├── [ 28K] options.png
│ └── [525K] presentation.png
├── [ 34K] LICENSE
├── [4.0K] Manuals
│ ├── [5.7M] 02 - Gestión de la Ciberseguridad - microCLAUDIA CCN.pdf
│ ├── [3.6M] microclaudia - manual de usuario.pdf
│ └── [ 316] README.md
├── [4.0K] Presentation
│ ├── [913K] CVE_brokeCLAUDIA_Presentation.pdf
│ ├── [3.2M] CVE_brokeCLAUDIA_Presentation.pptx
│ └── [ 799] README.md
├── [9.2K] README.md
├── [4.0K] Videos
│ └── [ 41M] Tool.mp4
└── [4.0K] Vulnerability Disclosure
├── [221K] Emails_1_CCN_Vulnerability_Disclosure_and_Assistance_to_Remediate.pdf
├── [ 51K] Emails_2_CVE_Request_to_MITRE_Referral_to_INCIBE.pdf
├── [156K] Emails_3_CVE_Coordination_with_INCIBE.pdf
└── [872K] Emails_4_CVE_Assignment_Confirmation_amd_Public_Disclosure.pdf
18 directories, 43 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.