Description

A privilege escalation vulnerability was identified in Automai Director that allows an authenticated attacker to gain elevated (superuser) privileges. With higher privileges an attacker is able to manipulate the system which could affect connected systems.

Details

• Product: Automai Director
• Affected Versions: < 25.2.0
• Vulnerability Type: CWE-280: Improper Handling of Insufficient Permissions or Privileges
• Risk Level: Critical - CVSS 3.1: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
• Authentication: Required
• Vendor URL: https://www.automai.com/
• Vendor acknowledged vulnerability: Yes
• Vendor Status: Fixed
• CVE: CVE-2025-46066

Impact

A successful privilege escalation attack allows an attacker to gain unauthorized administrative access within the application. Once elevated, the attacker can control connected agents, execute arbitrary commands, and manipulate critical application functionality. This could lead to data corruption, unauthorized configuration changes, service disruption, or complete compromise of the application’s integrity and availability.

References

• National Vulnerability Database CVE-2025-46066

Timeline

• 2025-04: Vulnerability reported to the vendor.
• 2025-05: Vendor published a fix for the issue.
• 2026-01: Information about the vulnerability is published.

Credits

• Bastian Recktenwald (Bastian.Recktenwald@ZeroBreach.de)