Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-58443

CVE-2025-58443: FOG Project Auth Bypass Vulnerability

CVE-2025-58443 is an authentication bypass vulnerability in FOG Project allowing unauthenticated database dumps. Attackers can extract full SQL databases without credentials. This article covers technical details, impact, and mitigation.

Updated:

CVE-2025-58443 Overview

FOG Project is a free open-source cloning, imaging, rescue suite, and inventory management system used widely for endpoint provisioning. CVE-2025-58443 is an authentication bypass vulnerability [CWE-287] affecting FOG versions 1.5.10.1673 and below. An unauthenticated remote attacker can perform a full SQL database dump without supplying credentials. The exposed database typically contains host inventories, imaging configurations, user records, and credential material used by FOG-managed endpoints.

Critical Impact

An unauthenticated network attacker can extract the complete FOG SQL database, exposing managed asset inventories and stored credentials that can be reused to pivot deeper into the environment.

Affected Products

  • FOG Project fogproject versions 1.5.10.1673 and below
  • FOG stable release branch prior to the 9/15/2025 fix
  • Deployments not updated to dev-branch or working-1.6

Discovery Timeline

  • 2025-09-06 - CVE-2025-58443 published to NVD
  • 2025-09-29 - Last updated in NVD database

Technical Details for CVE-2025-58443

Vulnerability Analysis

The flaw is an authentication bypass in the FOG management server that allows an unauthenticated HTTP client to invoke database export functionality. Because the affected endpoint does not validate session or credential state before returning data, an attacker reaching the FOG web interface over the network can retrieve the entire SQL database. FOG databases store host MAC addresses, image assignments, task history, snapin metadata, and user account hashes, which are sensitive both to confidentiality and to the integrity of downstream imaging operations.

The vulnerability is reachable over the network with no privileges and no user interaction, and FOG servers are commonly deployed inside provisioning VLANs that also reach client endpoints. An attacker who dumps the database gains a map of managed systems and credential hashes that can be cracked offline, enabling subsequent lateral movement.

Root Cause

The root cause is missing authentication on a database export code path. The application exposes a function that returns SQL data without first verifying that the request originates from an authenticated administrative session. This maps directly to [CWE-287] Improper Authentication.

Attack Vector

Exploitation requires only network reach to the FOG web service. An attacker issues a crafted HTTP request to the vulnerable export endpoint and receives the SQL dump in the response. No credentials, tokens, or social engineering are required. See the FOG Project GitHub Security Advisory GHSA-mvwm-9m2h-87p9 for vendor details. No public proof-of-concept exploit code is referenced in the advisory at the time of writing.

Detection Methods for CVE-2025-58443

Indicators of Compromise

  • Unauthenticated HTTP requests to FOG management endpoints returning large response bodies consistent with SQL dump output
  • Outbound transfers of large files originating from the FOG server to unexpected destinations
  • New or unexpected administrative logins to systems whose credentials are stored in the FOG database

Detection Strategies

  • Review FOG web server access logs for requests to database export or backup paths from clients without an active authenticated session
  • Inspect web server logs for requests with no Cookie or session header that still receive 200 responses with unusually large payloads
  • Correlate FOG server egress traffic with known administrator workstations and flag transfers to other sources

Monitoring Recommendations

  • Alert on any HTTP response from the FOG server exceeding a size baseline appropriate for normal operation
  • Monitor for credential reuse attempts against Active Directory and endpoint management systems for accounts present in the FOG database
  • Enable file integrity monitoring on FOG configuration and database directories to detect tampering after exposure

How to Mitigate CVE-2025-58443

Immediate Actions Required

  • Upgrade FOG to the patched release on the dev-branch or working-1.6 branch as instructed by the vendor
  • Restrict network access to the FOG web interface to provisioning administrators and imaging subnets only
  • Rotate any credentials and service accounts stored in or referenced by the FOG database

Patch Information

The FOG Project maintainers indicated a fix release dated 9/15/2025. Administrators concerned about immediate exposure should upgrade to the latest dev-branch or working-1.6 build using the FOG Project installation documentation. Refer to GHSA-mvwm-9m2h-87p9 for the authoritative advisory.

Workarounds

  • Place the FOG web interface behind a reverse proxy that enforces source IP allowlisting for administrative paths
  • Block external access to the FOG server at the perimeter firewall until the patched version is deployed
  • Audit and remove unnecessary high-privilege credentials from FOG configuration to reduce blast radius if a dump occurs
bash
# Example: restrict FOG web access to a management subnet using iptables
iptables -A INPUT -p tcp --dport 80  -s 10.10.50.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 10.10.50.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80  -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne