CVE-2025-34156
CVE-2025-34156 is a medium-severity vulnerability with a CVSS 4.0 base score of 6.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-497.
Key facts
- Severity: Medium (CVSS 4.0 base score 6.9)
- EPSS exploit prediction: 0% (26th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-35704
- Weakness: CWE-497
- Published:
- Last modified:
Description
Tibbo AggreGate Network Manager < 6.40.05 exposes sensitive system information through an unauthenticated endpoint at /cwmp/happyaxis.jsp. The page discloses Java system properties, server path details, and version information to unauthorized users, resulting in information disclosure that could aid further compromise.
Frequently asked questions
- What is CVE-2025-34156?
- Tibbo AggreGate Network Manager < 6.40.05 exposes sensitive system information through an unauthenticated endpoint at /cwmp/happyaxis.jsp. The page discloses Java system properties, server path details, and version information to unauthorized users, resulting in information disclosure that could aid further compromise.
- How severe is CVE-2025-34156?
- CVE-2025-34156 has a CVSS 4.0 base score of 6.9, rated medium severity.
- Is CVE-2025-34156 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (26th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2025-34156?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-34156 have an EU (EUVD) identifier?
- Yes. CVE-2025-34156 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-35704.
- When was CVE-2025-34156 published?
- CVE-2025-34156 was published on 2025-10-23 and last updated on 2026-06-17.
References
- https://aggregate.digital/downloads.html
- https://aggregate.digital/products/network-manager.html
- https://www.vulncheck.com/advisories/tibbo-aggregate-network-manager-system-information-exposure
Other CWE-497 vulnerabilities
- CVE-2025-10264 — Critical (CVSS 10.0): Certain models of NVR developed by Digiever has an Exposure of Sensitive Information vulnerability, allowing…
- CVE-2026-27494 — Critical (CVSS 9.9): n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated…
- CVE-2025-47699 — Critical (CVSS 9.9): Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) in the Gallagher Morpho…
- CVE-2025-44823 — Critical (CVSS 9.9): Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a…
- CVE-2026-14808 — Critical (CVSS 9.8): Prog Management System developed by PROG MIS has a Exposure of Sensitive Information vulnerability, allowing…
- CVE-2024-13999 — Critical (CVSS 9.8): Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose the server's Active Directory (AD) or…