Free Trial
|
Login
Free Trial
Login
Platform
Platform
I want to
report
WHITEPAPER Picus Red Report 2025
white paper
DATASHEET Security Validation Platform
Use Cases
Use Cases
Frameworks
Industry
Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research
RESEARCH
LEARNING
whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources
RESOURCES
LEARNING
Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company
COMPANY
PARTNERS
webinar
WATCH ON-DEMAND: The BAS Summit: Redefining Attack Simulation through AI
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO
Sıla Özeren Hacıoğlu | 4 MIN READ

CREATED ON December 19, 2025

Omnissa Workspace One CVE-2025-25231 Path Traversal Exploit

A critical vulnerability has been identified in Omnissa Workspace One UEM (formerly VMware Workspace One UEM), designated as CVE-2025-25231. This flaw allows unauthenticated attackers to perform path traversal attacks within a secondary context, ultimately leading to information disclosure and potential Remote Code Execution (RCE). The vulnerability resides within the SystemAppMetadataV1Controller, specifically in how the application handles the packageId parameter during request routing. Remediation is available in versions 24.10.0.11, 24.6.0.35, 24.2.0.30, and 23.10.0.50.

How Is CVE-2025-25231 Exploited?

The vulnerability resides within the DevicesGateway application, specifically inside the SystemAppMetadataV1Controller. This component is designed to retrieve package information without requiring user authentication. The flaw stems from how the application handles the packageId parameter, which is used to construct the resource string for internal routing. Due to improper input validation, this parameter can be manipulated to traverse the URL path, effectively tricking the system into routing the request to unintended internal endpoints with elevated privileges.

Technical Analysis

The core of the issue lies in the GetSystemAppMetadataAsync method within the SystemAppMetadataV1Controller. It is observed that the packageId is taken directly from the URL path and concatenated to form a resource string. While packageId is intended as a path parameter, it was found that the path parameter can be overridden by supplying packageId in the URL query string, a quirk necessary for exploitation.

Crucially, the code concatenates this user-controlled input directly into a resource string:

[VersionedRoute("system-app-metadata/{packageId}", 1, null)]
public async Task<IActionResult> GetSystemAppMetadataAsync(string packageId)
{
    string resource = "apps/system-app-metadata/" + packageId;


    HttpResponseMessage httpResponseMessage = await UpdateAndRouteRequestAsync(resource,
        base.Request.Method, base.Request.Headers, base.Request.Content).ConfigureAwait(continueOnCapturedContext: true);
   
    return ActionResultFactory.GetActionResult(base.Request)
        .WithHttpResponseMessage(httpResponseMessage)
        .WithHttpStatusCode(httpResponseMessage.StatusCode);
}

The constructed resource string is subsequently passed to UpdateAndRouteRequestAsync. This function initiates a process to determine the internal destination of the request.

The UpdateAndRouteRequestAsync method forwards the request details to RouteRequestAsync, which effectively acts as a proxy. The routing logic relies on GetApiDetailsAsync to resolve the destination URL and the appropriate authentication tokens.

This resolution process uses regular expressions defined in a static JSON configuration file (devicesGatewayConfiguration.json) to match the resource string against known patterns.

ApiConfiguration apiConfiguration = configuration.ApiConfigurations
    .FirstOrDefault((ApiConfiguration k) => Regex.IsMatch(resource, k.Pattern));

// ...

DevicesGatewayApiDetails retApiDetails = new DevicesGatewayApiDetails();
deviceUuid = await GetDeviceUuidAsync(deviceUuid, resource, requestQuery,
    tenantUuid, text2, apiConfiguration, text, retApiDetails);

If a match is found, the system assigns an authentication token valid for the internal module.

The vulnerability arises because the path traversal characters (e.g., ..//) in the resource string are interpreted by the system in a way that alters the final destination path while retaining the high-privilege context. An attacker can exploit this behavior by supplying a crafted packageId containing traversal sequences:

GET /DevicesGateway/apps/system-app-metadata/1?packageId=../../../../API/system/users/search%3fpagesize=10 HTTP/1.1
Host: target

<TRUNCATED>

This request bypasses authentication and returns a list of users.

A more effective target for escalation is the list of active admin users, accessible via /API/system/admins/search?status=active. With a list of administrative usernames, a password spraying attack can be executed. The spraying is performed against the /AirWatch/Login/Login/Login-User endpoint.

If a correct password is found and Global Administrator access is gained, the attack can be escalated to Remote Code Execution. This is achieved by modifying the "Blob Cache Store Path" setting to a web-accessible directory (ideally the Default Website).

While file uploads are restricted by requiring encrypted file extensions (specifically via the encryptedAllowedFileType parameter context), the encryption implementation relies on a hardcoded master key. The default master key is defined as follows:

  public MasterKey()
    {
        KeyVersion = "kv0";
        Passphrase = "5c5e2c554f4f644b54383127495b356d7b36714e4b214a6967492657290123a0";
        SaltData = "s@1tValue";
        IsKeyValid = true;
    }

Attackers can generate a valid encrypted string for extensions like .aspx by utilizing this hardcoded key. This encrypted string is then used to bypass restrictions and upload a webshell.

How Picus Helps Simulate Omnissa Workspace ONE UEM CVE-2025-25231 Attacks?

We also strongly suggest simulating the Omnissa Workspace ONE UEM CVE-2025-25231 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as regreSSHion, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Omnissa Workspace ONE UEM CVE-2025-25231 vulnerability exploitation attacks:

Threat ID

Threat Name

Attack Module

31497

Omnissa Web Attack Campaign

Web Application

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

Key Takeaways

  • CVE-2025-25231 is a critical vulnerability identified in Omnissa Workspace One UEM that allows unauthenticated attackers to perform path traversal attacks, leading to information disclosure and potential Remote Code Execution.
  • The flaw exists within the SystemAppMetadataV1Controller of the DevicesGateway application, where the packageId parameter is improperly validated during request routing.
  • Attackers can exploit this behavior by overriding the packageId path parameter via the URL query string to inject traversal sequences, tricking the system into routing requests to internal endpoints with elevated privileges.
  • Successful exploitation bypasses authentication and allows access to sensitive data, such as retrieving a list of active administrative users to facilitate password spraying attacks.
  • Gaining Global Administrator access allows attackers to modify the "Blob Cache Store Path" setting to a web-accessible directory, paving the way for Remote Code Execution.
  • The system's file upload restrictions can be bypassed using a hardcoded master key found in the code, which allows attackers to generate valid encrypted strings for executable file extensions like .aspx.
  • Remediation is available in versions 24.10.0.11, 24.6.0.35, 24.2.0.30, and 23.10.0.50.
 
This is a critical flaw identified in Omnissa Workspace One UEM, formerly known as VMware Workspace One UEM. The vulnerability allows unauthenticated attackers to execute path traversal attacks within a secondary context. Successful exploitation results in information disclosure and can potentially lead to Remote Code Execution. The issue specifically resides in the SystemAppMetadataV1Controller component.
The vulnerability exists because the application improperly validates the packageId parameter. Attackers override this path parameter via the URL query string and inject traversal characters. This manipulation tricks the system into routing requests to unintended internal endpoints with elevated privileges, bypassing the need for user authentication.
The GetSystemAppMetadataAsync method concatenates user-controlled input directly into a resource string. The UpdateAndRouteRequestAsync method then uses this string to determine the destination. Because the input is not sanitized, traversal sequences alter the final path while retaining the high-privilege context assigned by the static JSON configuration.
Attackers first obtain a list of admin users to perform password spraying. Upon gaining Global Administrator access, they modify the Blob Cache Store Path to a web-accessible directory. They then upload a malicious file, such as a webshell, by generating a valid encrypted extension string using a hardcoded master key found in the code.
The encryption implementation for file extensions relies on a hardcoded master key with a known passphrase and salt. Attackers utilize this key to generate valid encrypted strings for restricted extensions like .aspx. This allows them to bypass the encryptedAllowedFileType parameter checks and upload executable files to the server.
Remediation for this vulnerability is available in versions 24.10.0.11, 24.6.0.35, 24.2.0.30, and 23.10.0.50. These updates address the flaws in the SystemAppMetadataV1Controller to prevent path traversal and subsequent unauthorized access.

Table of Contents

Ready to start? Request a demo
React Flight Protocol RCE Vulnerability: CVE-2025-55182 and CVE-2025-66478 Explained
Emerging Threat React2Shell RCE Vulnerability: CVE-2025-55182 and CVE-2025-66478 Explained
Learn More
FortiWeb CVE-2025-64446 Vulnerability: Path Traversal Leads to Remote Code Execution
Emerging Threat FortiWeb CVE-2025-64446 Vulnerability: Path Traversal Leads to Remote Code Execution
Learn More
CVE-2025-59287 Explained: WSUS Unauthenticated RCE Vulnerability
Emerging Threat CVE-2025-59287 Explained: WSUS Unauthenticated RCE Vulnerability
Learn More
Earth Krahang APT Group: Global Government Cyberespionage Campaigns (2022–2024) and TTP Analysis
Emerging Threat Earth Krahang APT Group: Global Government Cyberespionage Campaigns (2022–2024) and TTP Analysis
Learn More
WARMCOOKIE: A Technical Deep Dive into a Persistent Backdoor's Evolution
Emerging Threat WARMCOOKIE: A Technical Deep Dive into a Persistent Backdoor's Evolution
Learn More
Lazarus Group (APT38) Explained: Timeline, TTPs, and Major Attacks
Emerging Threat Lazarus Group (APT38) Explained: Timeline, TTPs, and Major Attacks
Learn More
Scattered LAPSUS$ Hunters: 2025's Most Dangerous Cybercrime Supergroup
Emerging Threat Scattered LAPSUS$ Hunters: 2025's Most Dangerous Cybercrime Supergroup
Learn More
F5 Confirms Breach of Internal Systems—Source Code, Customer Data at Risk
Emerging Threat F5 Confirms Breach of Internal Systems—Source Code, Customer Data at Risk
Learn More
Emerging Threat Oracle EBS CVE-2025-61882 Vulnerability: Pre-auth SSRF Leads to Remote Code Execution
Learn More