Agiloft Release 28 downloads critical system packages over an insecure HTTP connection. An attacker in a Man-In-the-Middle position could replace or modify the contents of the download URL. Users should upgrade to Agiloft Release 30.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 02 Sep 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Atlassian
Atlassian agiloft
CPEs cpe:2.3:a:atlassian:agiloft:*:*:*:*:*:*:*:*
Vendors & Products Atlassian
Atlassian agiloft

Fri, 29 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 27 Aug 2025 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Agiloft
Agiloft agiloft
Vendors & Products Agiloft
Agiloft agiloft

Tue, 26 Aug 2025 22:30:00 +0000

Type Values Removed Values Added
Description Agiloft Release 28 downloads critical system packages over an insecure HTTP connection. An attacker in a Man-In-the-Middle position could replace or modify the contents of the download URL. Users should upgrade to Agiloft Release 30.
Title Agiloft insecure download of system packages
Weaknesses CWE-494
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2025-08-29T18:27:45.417Z

Reserved: 2025-04-15T20:56:24.416Z

Link: CVE-2025-35115

cve-icon Vulnrichment

Updated: 2025-08-29T18:27:40.512Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-26T23:15:35.540

Modified: 2025-09-02T17:57:25.583

Link: CVE-2025-35115

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-27T11:41:37Z