CVE-2025-43720

Published: Jul 21, 2025Modified: Aug 7, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Headwind MDM before 5.33.1 makes configuration details accessible to unauthorized users. The Configuration profile is exposed to the Observer user role, revealing the password requires to escape out of the MDM controlled device's profile.

Affected (1)

Products: H Mdm: Headwind Mdm

H Mdm

1 product

Headwind Mdm

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
H Mdm Headwind Mdm	Before 5.33.1

Related CWEs

CWE-862

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (3)

https://github.com/h-mdm/hmdm-server/commit/19e4a63f732c99064444df7e8c61b4f01df362e8

Source: cve@mitre.org

Patch

https://github.com/h-mdm/hmdm-server/compare/v5.32.1...v5.33.1

Source: cve@mitre.org

Patch

https://www.periculo.co.uk/cyber-security-blog/how-our-pen-tester-found-a-critical-vulnerability-cve-2025-43720

Source: cve@mitre.org

Third Party Advisory

Timeline

No history available yet.