{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-2858","assignerOrgId":"0cbda920-cd7f-484a-8e76-bf7f4b7f4516","state":"PUBLISHED","assignerShortName":"INCIBE","dateReserved":"2025-03-27T10:59:40.368Z","datePublished":"2025-03-28T13:08:23.567Z","dateUpdated":"2025-03-28T13:38:38.910Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"saTECH BCU","vendor":"Arteche","versions":[{"status":"affected","version":"2.1.3"}]}],"credits":[{"lang":"en","type":"finder","value":"Aarón Flecha"},{"lang":"en","type":"finder","value":"Gabriel Vía Echezarreta"}],"datePublic":"2025-03-27T11:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Privilege escalation vulnerability in the saTECH BCU firmware version 2.1.3. An attacker with access to the CLI of the device could make use of the nice command to bypass all restrictions and elevate privileges as a superuser."}],"value":"Privilege escalation vulnerability in the saTECH BCU firmware version 2.1.3. An attacker with access to the CLI of the device could make use of the nice command to bypass all restrictions and elevate privileges as a superuser."}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"LOCAL","baseScore":8.5,"baseSeverity":"HIGH","privilegesRequired":"LOW","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"LOW","subConfidentialityImpact":"LOW","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:L","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-269","description":"CWE-269 Improper Privilege Management","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"0cbda920-cd7f-484a-8e76-bf7f4b7f4516","shortName":"INCIBE","dateUpdated":"2025-03-28T13:08:23.567Z"},"references":[{"url":"https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-arteches-satech-bcu"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The vulnerability has been fixed by Arteche in firmware version 2.2.1."}],"value":"The vulnerability has been fixed by Arteche in firmware version 2.2.1."}],"source":{"discovery":"EXTERNAL"},"title":"Privilege escalation vulnerability in saTECH BCU","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-03-28T13:38:33.493732Z","id":"CVE-2025-2858","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-03-28T13:38:38.910Z"}}]}}