CVE-2025-43720

Source
https://cve.org/CVERecord?id=CVE-2025-43720
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43720.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-43720
Published
2025-07-21T17:15:37.050Z
Modified
2026-04-12T16:55:23.909215Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Headwind MDM before 5.33.1 makes configuration details accessible to unauthorized users. The Configuration profile is exposed to the Observer user role, revealing the password requires to escape out of the MDM controlled device's profile.

References

Affected packages

Git / github.com/h-mdm/hmdm-server

Affected ranges

Type
GIT
Repo
https://github.com/h-mdm/hmdm-server
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.33.1"
        }
    ]
}

Affected versions

v5.*
v5.27.2
v5.28.1
v5.29.1
v5.30.1
v5.30.3
v5.31.1
v5.32.1

Database specific

vanir_signatures
[
    {
        "id": "CVE-2025-43720-2c77f128",
        "target": {
            "function": "getConfigurationApplications",
            "file": "server/src/main/java/com/hmdm/rest/resource/ConfigurationResource.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/h-mdm/hmdm-server/commit/19e4a63f732c99064444df7e8c61b4f01df362e8",
        "signature_type": "Function",
        "digest": {
            "function_hash": "254356613168551213908908216302195109986",
            "length": 164.0
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-43720-3ac234fc",
        "target": {
            "file": "server/src/main/java/com/hmdm/guice/module/ConfigureModule.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/h-mdm/hmdm-server/commit/19e4a63f732c99064444df7e8c61b4f01df362e8",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "10620727926956154615521969716629865684",
                "316575086913422014031868203328425066521",
                "285826611951026806621598260775763283839",
                "26948761278868631048165704637505845312",
                "316187376605211944289933621070733152206",
                "192200351653515910875078539866706092044",
                "208501596119552176965408824756884628024",
                "217232418118778894781534883555712550875"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-43720-54b8d982",
        "target": {
            "file": "server/src/main/java/com/hmdm/rest/resource/SyncResource.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/h-mdm/hmdm-server/commit/19e4a63f732c99064444df7e8c61b4f01df362e8",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "107911496508891373624243098629946864655",
                "173132575147094576628660049241227282446",
                "80735139083351048095252136118560095556",
                "130471951536372738700638900238192631201",
                "104340778163395255057888808518977048117",
                "258826383833874359571482893061043896912",
                "132063182754218268370725425733646534021",
                "228597863928835554075657619554424293691",
                "321533064124970411077269070148362762939",
                "324722317537376278975873376582502208462",
                "319385642475178723925281059336468820870",
                "259041381224234548970322341573605427238",
                "232573019979057912373648786257907371925",
                "287645027704248388957598876124739071737",
                "105908098025281147653770360006929505569",
                "269724892359233310004498699721784592876",
                "198263139567128370184605365191641577386",
                "306081073593229908331944415646001246160",
                "198882472301965047540335085926458882744",
                "337677743374098907762137136794187783882",
                "83091611378546993299549640142231007844",
                "310261259373391512426587193166724265191",
                "112565744964837664241954720076683159705",
                "148007513692260257817698374178128869767",
                "45850580752085299011862712334003564562",
                "283195829094197051359763307736810982220",
                "170913232269536148801434210552239673743",
                "70155518662792811039274635556025908062",
                "64957936858571529653690825677208826284",
                "310261259373391512426587193166724265191",
                "112565744964837664241954720076683159705",
                "148007513692260257817698374178128869767",
                "220676402662838368038689287201212395655"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-43720-557bf6bd",
        "target": {
            "function": "configure",
            "file": "server/src/main/java/com/hmdm/guice/module/ConfigureModule.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/h-mdm/hmdm-server/commit/19e4a63f732c99064444df7e8c61b4f01df362e8",
        "signature_type": "Function",
        "digest": {
            "function_hash": "55219294824594461736141424161684657626",
            "length": 11717.0
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-43720-62ee53cb",
        "target": {
            "file": "server/src/main/java/com/hmdm/rest/resource/ConfigurationResource.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/h-mdm/hmdm-server/commit/19e4a63f732c99064444df7e8c61b4f01df362e8",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "73701294441859045138011563864646004890",
                "159082486900774364998552346374650779720",
                "87481736442659086925715320084490866887",
                "38462782285156483597363638969107331026",
                "11725820280104327138146925135587183897",
                "208144825362243935699770124793335088936",
                "256926814959671992332894772510999388931",
                "273041202519384408313605633999189603509",
                "63603369074298400970106227193465889935",
                "4799019836347851000564878544751087214",
                "230574884580855171267571155996602155464",
                "295080901178434824432277495541476632187",
                "265584141874701408334692573973637609147",
                "310131155503676692338207452426341898107",
                "3758718565186889072955159968352745047",
                "320914145696097846471103816182118465840",
                "124741943646775125399540111159232184527",
                "253263368770310945328047701309316130841",
                "281495298043161275726094103663559254966",
                "210144507454655573189764466365066220598",
                "14566327727593021327392052677994986496",
                "41109141186782973323364614636280997328",
                "39803079199138813469745876868056541338",
                "339675931303423327593256200231028523113"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-43720-8dff21f1",
        "target": {
            "function": "getConfigurationById",
            "file": "server/src/main/java/com/hmdm/rest/resource/ConfigurationResource.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/h-mdm/hmdm-server/commit/19e4a63f732c99064444df7e8c61b4f01df362e8",
        "signature_type": "Function",
        "digest": {
            "function_hash": "34884879356947192250995666631719820409",
            "length": 122.0
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-43720-8e4527a6",
        "target": {
            "function": "getDeviceSetting",
            "file": "server/src/main/java/com/hmdm/rest/resource/SyncResource.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/h-mdm/hmdm-server/commit/19e4a63f732c99064444df7e8c61b4f01df362e8",
        "signature_type": "Function",
        "digest": {
            "function_hash": "62793014219098735520641910644887825709",
            "length": 1291.0
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-43720-94eab37e",
        "target": {
            "function": "getConfigurations",
            "file": "server/src/main/java/com/hmdm/rest/resource/ConfigurationResource.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/h-mdm/hmdm-server/commit/19e4a63f732c99064444df7e8c61b4f01df362e8",
        "signature_type": "Function",
        "digest": {
            "function_hash": "330234790355091588840483180082622005065",
            "length": 463.0
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-43720-c15cae08",
        "target": {
            "function": "searchConfigurations",
            "file": "server/src/main/java/com/hmdm/rest/resource/ConfigurationResource.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/h-mdm/hmdm-server/commit/19e4a63f732c99064444df7e8c61b4f01df362e8",
        "signature_type": "Function",
        "digest": {
            "function_hash": "325328227897447485508002907304972434046",
            "length": 233.0
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-43720-c3715664",
        "target": {
            "function": "getDeviceSettingExtended",
            "file": "server/src/main/java/com/hmdm/rest/resource/SyncResource.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/h-mdm/hmdm-server/commit/19e4a63f732c99064444df7e8c61b4f01df362e8",
        "signature_type": "Function",
        "digest": {
            "function_hash": "123422502648374876368696835614861124247",
            "length": 1276.0
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-43720-d407f064",
        "target": {
            "function": "SyncResource",
            "file": "server/src/main/java/com/hmdm/rest/resource/SyncResource.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/h-mdm/hmdm-server/commit/19e4a63f732c99064444df7e8c61b4f01df362e8",
        "signature_type": "Function",
        "digest": {
            "function_hash": "97299104756691519338526049660300096585",
            "length": 945.0
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-43720-df3afa5c",
        "target": {
            "function": "getAllConfigurations",
            "file": "server/src/main/java/com/hmdm/rest/resource/ConfigurationResource.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/h-mdm/hmdm-server/commit/19e4a63f732c99064444df7e8c61b4f01df362e8",
        "signature_type": "Function",
        "digest": {
            "function_hash": "279586475186204064428065979946601584860",
            "length": 191.0
        },
        "deprecated": false
    }
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43720.json"
vanir_signatures_modified
"2026-04-12T16:55:23Z"