Multiple vulnerabilities in GMOD Apollo
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2025-21092 CVE-2025-23410 CVE-2025-24924 CVE-2025-20002 |
| CWE-ID | CWE-266 CWE-22 CWE-306 CWE-209 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Apollo Client/Desktop applications / Other client software |
| Vendor | Generic Model Organism Database Project |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Incorrect Privilege Assignment
EUVDB-ID: #VU105326
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-21092
CWE-ID:
CWE-266 - Incorrect Privilege Assignment
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the affected product does not have sufficient logical or access checks when updating a user's information. A remote user can gain elevated privileges on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApollo: before 2.8.0
CPE2.3 External linkshttps://www.cisa.gov/news-events/ics-advisories/icsa-25-063-07
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Path traversal
EUVDB-ID: #VU105327
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-23410
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when uploading organism or sequence data via the web interface. A remote attacker can gain access to the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApollo: before 2.8.0
CPE2.3 External linkshttps://www.cisa.gov/news-events/ics-advisories/icsa-25-063-07
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Missing Authentication for Critical Function
EUVDB-ID: #VU105328
Risk: Medium
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-24924
CWE-ID:
CWE-306 - Missing Authentication for Critical Function
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to certain functionality does not require authentication when passed with an administrative username. A remote user can gain access to the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApollo: before 2.8.0
CPE2.3 External linkshttps://www.cisa.gov/news-events/ics-advisories/icsa-25-063-07
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Information Exposure Through an Error Message
EUVDB-ID: #VU105329
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-20002
CWE-ID:
CWE-209 - Information Exposure Through an Error Message
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output after attempting to upload a file that does not meet pre-requisites. A remote attacker can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApollo: before 2.8.0
CPE2.3 External linkshttps://www.cisa.gov/news-events/ics-advisories/icsa-25-063-07
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
