CVE-2025-14038 - Unauthenticated gRPC API Access
First Published: 2025/15/03
Last Updated: 2025/15/03
Summary
EDB Hybrid Manager contains a flaw that allows an unauthenticated attacker to directly access certain gRPC endpoints. This allows unauthorized access to critical internal gRPC APIs within a Hybrid Manager service due to missing authentication and authorization checks in the Istio Gateway configuration. This vulnerability has been remediated in EDB Hybrid Manager 1.3.3 and HM 2025.12, and customers should consider upgrading to the patched version as soon as possible.
The vulnerability is due to a misconfiguration in the Istio Gateway, which manages authentication and authorization for the affected endpoints. Certain APIs were previously not explicitly listed in the API gateway's security configuration, meaning an unauthorized user with network access to the HM environment could directly invoke these endpoints.
Vulnerability details
CVE-ID: CVE-2025-14038
CVSS Base Score: 7.0
CVSS Temporal Score: Undefined
CVSS Environmental Score: Undefined
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
Affected products and versions
The vulnerability is tied to the Istio Gateway configuration used across Hybrid Manager (HM) versions that expose the affected HM gRPC services.
- Affected Product: Hybrid Manager (HM)
- Affected Versions: All versions prior to HM 2025.12 & HM 1.3.3.
Remediation/fixes
Remediation is available in HM 2025.12 & HM 1.3.3.
References
- https://www.first.org/cvss/calculator/3.1
- CWE-862 Missing Authorization
- CWE-306 Missing Authentication for Critical Function
Related information
Acknowledgement
Source: MITRE
Change history
15 Dec 2025: Original Copy Published
Disclaimer
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document.
Could this page be better? Report a problem or suggest an addition!