CVE-2025-2245

Server Side Request Forgery in GravityZone Update Server Using Null Bytes (VA-12646)

Severity Score

6.9

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

A server-side request forgery (SSRF) vulnerability exists in the Bitdefender GravityZone Update Server when operating in Relay Mode. The HTTP proxy component on port 7074 uses a domain allowlist to restrict outbound requests, but fails to properly sanitize hostnames containing null-byte (%00) sequences. By crafting a request to a domain such as evil.com%00.bitdefender.com, an attacker can bypass the allowlist check, causing the proxy to forward requests to arbitrary external or internal systems.

Existe una vulnerabilidad de server-side request forgery (SSRF) en Bitdefender GravityZone Update Server al operar en modo de retransmisión. El componente proxy HTTP en el puerto 7074 utiliza una lista de permitidos de dominio para restringir las solicitudes salientes, pero no depura correctamente los nombres de host que contienen secuencias de bytes nulos (%00). Al manipular una solicitud a un dominio como evil.com%00.bitdefender.com, un atacante puede eludir la comprobación de la lista de permitidos, lo que provoca que el proxy reenvíe las solicitudes a sistemas externos o internos arbitrarios.

*Credits: Nicolas Verdier (@n1nj4sec)

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

System

Vulnerable | Subsequent

Confidentiality

Low

Integrity

None

Low

Availability

None

Low

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2025-03-12 CVE Reserved
2025-04-04 CVE Published
2025-04-04 CVE Updated
2025-04-05 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-918: Server-Side Request Forgery (SSRF)

CAPEC

CAPEC-3: Using Leading 'Ghost' Character Sequences to Bypass Input Filters

References (1)

URL	Tag	Source
https://www.bitdefender.com/support/security-advisories/server-side-request-forgery-in-gravityzone-update-server-using-null-bytes-va-12646

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Bitdefender Search vendor "Bitdefender"		GravityZone Update Server Search vendor "Bitdefender" for product "GravityZone Update Server"				< 3.5.2.689 Search vendor "Bitdefender" for product "GravityZone Update Server" and version " < 3.5.2.689"		en		Affected