Omnissa Workspace One CVE-2025-25231 Path Traversal Exploit

A critical vulnerability has been identified in Omnissa Workspace One UEM (formerly VMware Workspace One UEM), designated as CVE-2025-25231. This flaw allows unauthenticated attackers to perform path traversal attacks within a secondary context, ultimately leading to information disclosure and potential Remote Code Execution (RCE). The vulnerability resides within the SystemAppMetadataV1Controller, specifically in how the application handles the packageId parameter during request routing. Remediation is available in versions 24.10.0.11, 24.6.0.35, 24.2.0.30, and 23.10.0.50.

How Is CVE-2025-25231 Exploited?

The vulnerability resides within the DevicesGateway application, specifically inside the SystemAppMetadataV1Controller. This component is designed to retrieve package information without requiring user authentication. The flaw stems from how the application handles the packageId parameter, which is used to construct the resource string for internal routing. Due to improper input validation, this parameter can be manipulated to traverse the URL path, effectively tricking the system into routing the request to unintended internal endpoints with elevated privileges.

Technical Analysis

The core of the issue lies in the GetSystemAppMetadataAsync method within the SystemAppMetadataV1Controller. It is observed that the packageId is taken directly from the URL path and concatenated to form a resource string. While packageId is intended as a path parameter, it was found that the path parameter can be overridden by supplying packageId in the URL query string, a quirk necessary for exploitation.

Crucially, the code concatenates this user-controlled input directly into a resource string:

The constructed resource string is subsequently passed to UpdateAndRouteRequestAsync. This function initiates a process to determine the internal destination of the request.

The UpdateAndRouteRequestAsync method forwards the request details to RouteRequestAsync, which effectively acts as a proxy. The routing logic relies on GetApiDetailsAsync to resolve the destination URL and the appropriate authentication tokens.

This resolution process uses regular expressions defined in a static JSON configuration file (devicesGatewayConfiguration.json) to match the resource string against known patterns.

If a match is found, the system assigns an authentication token valid for the internal module.

The vulnerability arises because the path traversal characters (e.g., ..//) in the resource string are interpreted by the system in a way that alters the final destination path while retaining the high-privilege context. An attacker can exploit this behavior by supplying a crafted packageId containing traversal sequences:

This request bypasses authentication and returns a list of users.

A more effective target for escalation is the list of active admin users, accessible via /API/system/admins/search?status=active. With a list of administrative usernames, a password spraying attack can be executed. The spraying is performed against the /AirWatch/Login/Login/Login-User endpoint.

If a correct password is found and Global Administrator access is gained, the attack can be escalated to Remote Code Execution. This is achieved by modifying the "Blob Cache Store Path" setting to a web-accessible directory (ideally the Default Website).

While file uploads are restricted by requiring encrypted file extensions (specifically via the encryptedAllowedFileType parameter context), the encryption implementation relies on a hardcoded master key. The default master key is defined as follows:

Attackers can generate a valid encrypted string for extensions like .aspx by utilizing this hardcoded key. This encrypted string is then used to bypass restrictions and upload a webshell.

How Picus Helps Simulate Omnissa Workspace ONE UEM CVE-2025-25231 Attacks?

We also strongly suggest simulating the Omnissa Workspace ONE UEM CVE-2025-25231 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as regreSSHion, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Omnissa Workspace ONE UEM CVE-2025-25231 vulnerability exploitation attacks:

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

Key Takeaways

• CVE-2025-25231 is a critical vulnerability identified in Omnissa Workspace One UEM that allows unauthenticated attackers to perform path traversal attacks, leading to information disclosure and potential Remote Code Execution.
• The flaw exists within the SystemAppMetadataV1Controller of the DevicesGateway application, where the packageId parameter is improperly validated during request routing.
• Attackers can exploit this behavior by overriding the packageId path parameter via the URL query string to inject traversal sequences, tricking the system into routing requests to internal endpoints with elevated privileges.
• Successful exploitation bypasses authentication and allows access to sensitive data, such as retrieving a list of active administrative users to facilitate password spraying attacks.
• Gaining Global Administrator access allows attackers to modify the "Blob Cache Store Path" setting to a web-accessible directory, paving the way for Remote Code Execution.
• The system's file upload restrictions can be bypassed using a hardcoded master key found in the code, which allows attackers to generate valid encrypted strings for executable file extensions like .aspx.
• Remediation is available in versions 24.10.0.11, 24.6.0.35, 24.2.0.30, and 23.10.0.50.