CVE-2025-13807 Overview
CVE-2025-13807 is an improper authorization vulnerability [CWE-266] in Orionsec Orion-ops up to commit 5925824997a3109651bbde07460958a7be249ed1. The flaw resides in the MachineKeyController function within orion-ops-api/orion-ops-web/src/main/java/cn/orionsec/ops/controller/MachineKeyController.java. A remote authenticated attacker with low privileges can manipulate API requests to access machine key information beyond their authorization scope. The exploit is publicly disclosed. The vendor was contacted prior to public disclosure but did not respond.
Critical Impact
Remote authenticated attackers can exploit improper authorization in the MachineKeyController API to disclose sensitive machine key information.
Affected Products
- Orionsec Orion-ops up to commit 5925824997a3109651bbde07460958a7be249ed1
- Component: MachineKeyController API endpoint
- File: orion-ops-api/orion-ops-web/src/main/java/cn/orionsec/ops/controller/MachineKeyController.java
Discovery Timeline
- 2025-12-01 - CVE-2025-13807 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-13807
Vulnerability Analysis
The vulnerability stems from missing or insufficient authorization checks in the MachineKeyController class of Orion-ops. The controller exposes API endpoints handling machine key resources, but does not properly validate whether the authenticated requester has the necessary privileges to access requested objects. This pattern aligns with [CWE-266] Incorrect Privilege Assignment, where users receive privileges beyond their intended role boundary.
Orion-ops is an operations management platform that stores SSH machine keys used to administer remote hosts. Improper authorization on key-management endpoints exposes credential material that supports lateral movement across managed infrastructure.
Root Cause
The MachineKeyController does not enforce per-object authorization on API requests. Authenticated users with low privileges can issue API calls that return key-related data owned by other tenants or higher-privileged accounts. The check that should restrict object access to the owning principal is either absent or evaluated incorrectly.
Attack Vector
An attacker holds a low-privileged authenticated session on the Orion-ops web interface. The attacker then issues HTTP requests to the MachineKeyController API endpoints, manipulating identifiers or parameters to reference objects outside their authorization scope. The server returns the requested data without enforcing ownership or role checks. The attack is remote, requires no user interaction, and is documented in a public proof of concept.
For exploit details, see the GitHub PoC for Orion Ops and the VulDB #333817 CTI record.
Detection Methods for CVE-2025-13807
Indicators of Compromise
- API access log entries showing low-privileged accounts invoking MachineKeyController endpoints under /orion-ops-api/ paths.
- Repeated sequential or incrementing object identifier values in requests to machine key endpoints, indicating enumeration.
- Unusual volume of machine key API responses returned to non-administrative user sessions.
Detection Strategies
- Audit Orion-ops application logs for requests to MachineKeyController routes correlated with the requester's role and the owner of the returned object.
- Inspect web access logs for HTTP 200 responses on machine key endpoints invoked by accounts that should not own those keys.
- Compare authenticated user identifiers against the returned resource owner identifiers in API responses.
Monitoring Recommendations
- Forward Orion-ops application and web server logs to a centralized analytics platform for cross-correlation with identity context.
- Alert on bursts of API requests from a single session enumerating machine key object identifiers.
- Track authentication events for any account that subsequently accesses machine key endpoints outside its normal usage pattern.
How to Mitigate CVE-2025-13807
Immediate Actions Required
- Restrict network access to Orion-ops administrative interfaces to trusted operator networks only.
- Disable or remove unused low-privileged accounts that could be leveraged to invoke the vulnerable API.
- Rotate machine keys stored within Orion-ops that may have been exposed through the affected endpoint.
- Review API access logs for prior unauthorized access to machine key resources.
Patch Information
At the time of publication, no vendor patch is available. The vendor did not respond to the disclosure. Operators should monitor the Orion-ops project repository for updates beyond commit 5925824997a3109651bbde07460958a7be249ed1 and apply fixes that introduce per-object authorization checks in MachineKeyController.
Workarounds
- Place Orion-ops behind a reverse proxy that enforces authentication and IP allow-listing before requests reach the API.
- Implement a Web Application Firewall (WAF) rule blocking unauthenticated or low-privileged sessions from reaching MachineKeyController paths.
- Limit Orion-ops account provisioning to administrators only until an authorization fix is released.
- Revoke and reissue any SSH keys managed by Orion-ops where exposure cannot be ruled out.
# Example NGINX restriction limiting machine key endpoints to admin IPs
location ~ ^/orion-ops-api/.*/machine/key {
allow 10.0.0.0/24; # admin operator subnet
deny all;
proxy_pass http://orion_ops_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
