CVE-2025-21611
CVSS 3.1 Score 8.8 of 10 (high)
Details
Summary
CVE-2025-21611 is a vulnerability affecting tgstation-server, a tool used for BYOND server management. Before version 6.12.3, the authorization process for API methods was incorrectly combined using OR instead of AND with the user's enabled status. As a result, some users could access unintended API actions, even if they did not have the required permissions. Notably, the WriteUsers right was not affected by this bug, meaning users could not permanently elevate their account permissions. The vulnerability was resolved with the release of tgstation-server-v6.12.3.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.