Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66360

CVE-2025-66360: Logpoint SIEM Privilege Escalation Flaw

CVE-2025-66360 is a privilege escalation vulnerability in Logpoint SIEM affecting versions before 7.7.0. Improper access controls expose Redis service data to li-admin users. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-66360 Overview

CVE-2025-66360 is an improper authorization vulnerability [CWE-863] affecting Logpoint SIEM versions before 7.7.0. An improperly configured access control policy exposes the internal Redis service to li-admin users. Authenticated administrators with limited scope can access sensitive internal communication data they should not see. This exposure can be leveraged to escalate privileges within the Logpoint deployment.

Critical Impact

An authenticated li-admin user can read sensitive Logpoint internal Redis data and escalate privileges within the SIEM platform.

Affected Products

  • Logpoint SIEM versions prior to 7.7.0
  • Deployments where li-admin accounts have access to the affected interface
  • Self-hosted Logpoint SIEM instances using internal Redis communication

Discovery Timeline

  • 2025-11-28 - CVE-2025-66360 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-66360

Vulnerability Analysis

The flaw resides in the access control policy that governs which users can reach Logpoint's internal Redis service. Redis is used by Logpoint for internal inter-service communication and caches sensitive operational data. The policy fails to fully isolate this internal channel from li-admin users, who hold administrative privileges but should not have access to the internal service tier. Because the exposed Redis instance carries data used by higher-privileged components, an attacker holding li-admin credentials can read tokens, configuration, or queued messages and reuse them to obtain greater control over the platform.

Root Cause

The root cause is an authorization gap [CWE-863]. Logpoint's network or application-layer policy did not restrict the Redis endpoint to internal service identities only. Instead, the endpoint was reachable from a context where li-admin sessions operate. The product enforced authentication but not least-privilege segmentation between administrative roles and internal service traffic.

Attack Vector

The attack requires network access and an authenticated li-admin account, so the vulnerability is not exploitable by anonymous remote attackers. Once authenticated, the actor queries the exposed Redis service directly and reads its contents. Captured material is then used to pivot toward operations or accounts outside the li-admin scope. The CVSS 4.0 base score is 6.9, and the EPSS score is 0.249% at the 15.886 percentile, indicating low predicted exploitation activity at this time.

No public proof-of-concept code is available. Refer to the Logpoint advisory on Redis exposure for vendor-confirmed technical detail.

Detection Methods for CVE-2025-66360

Indicators of Compromise

  • Unexpected outbound connections from li-admin user sessions to the internal Redis port
  • Redis command activity (KEYS, GET, HGETALL, MONITOR) originating from administrative user contexts
  • New or modified Logpoint accounts created shortly after li-admin Redis access
  • Authentication events for higher-privileged roles following li-admin session activity

Detection Strategies

  • Audit Logpoint access logs for li-admin sessions that interact with internal service endpoints
  • Correlate Redis access events with the authenticated user identity in the originating session
  • Alert on privilege changes or role assignments performed close in time to Redis read operations
  • Compare current li-admin activity patterns against a known baseline of administrative behavior

Monitoring Recommendations

  • Forward Logpoint application logs and host network telemetry to a centralized analytics platform
  • Monitor TCP traffic to Redis ports (default 6379) on Logpoint nodes for non-service source identities
  • Track configuration changes to Logpoint role-based access control policies
  • Review administrative session durations and command volume for anomalies

How to Mitigate CVE-2025-66360

Immediate Actions Required

  • Upgrade Logpoint SIEM to version 7.7.0 or later as the primary remediation
  • Inventory all li-admin accounts and disable any that are unused or unnecessary
  • Rotate credentials, tokens, and secrets that may have been cached in the exposed Redis instance
  • Review recent administrative activity for signs of unauthorized Redis access

Patch Information

Logpoint addressed the issue in version 7.7.0. Apply the upgrade following the guidance in the Logpoint advisory on Redis exposure. After patching, verify the access control policy enforces separation between li-admin users and internal service traffic.

Workarounds

  • Restrict network reachability to the Redis service using host firewall rules so only internal service IPs can connect
  • Bind Redis to the loopback interface where the Logpoint architecture permits it
  • Limit issuance of li-admin privileges and require multi-factor authentication for those accounts
  • Place Logpoint management interfaces behind a segmented administrative network
bash
# Configuration example: restrict Redis to localhost via iptables
iptables -A INPUT -p tcp --dport 6379 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 6379 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.