-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-048 Product: Workspace ONE UEM Manufacturer: Omnissa Affected Version(s): 24.6.0.21 Tested Version(s): 24.6.0.21 Vulnerability Type: Improper Restriction of Excessive Authentication Attempts (CWE-307) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2025-07-18 Solution Date: 2025-11-12 Public Disclosure: 2026-02-13 CVE Reference: CVE-2025-25236 Author of Advisory: Philipp Buchegger, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Omnissa Workspace ONE is a software for managing endpoint devices. The manufacturer describes the product as follows (see [1]): "Manage, secure and monitor all devices across all platforms. [...] With Omnissa Workspace ONE®, your organization can ease the operational burden on your IT workforce via an autonomous workspace, freeing them to focus on higher-value tasks." An internet-exposed API allows for unrestricted brute-force attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The endpoint "/DeviceServices/awmdmsdk/v3/shareddevice/checkout/authenticate" allows performing hundreds of requests per second. Thus, an attacker could use this behavior to perform a brute-force attack in order to enumerate user credentials. During testing, no rate limit, account lockout, or logging of this attack were detected. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following HTTP POST request can be used for a brute-force attack: POST /DeviceServices/awmdmsdk/v3/shareddevice/checkout/authenticate HTTP/1.1 Host: Content-Type: application/json Accept: */* Connection: keep-alive Accept-Language: de-DE Content-Length: Accept-Encoding: gzip, deflate, br User-Agent: Hub/4444 CFNetwork/3826.500.131 Darwin/24.5.0 {"DeviceIdentifier":"","GroupCode":"","Password":"","AuthenticationGroup":"com.air-watch.agent","Username":"","BundleId":"com.air-watch.agent","DeviceType":2} ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Implement a time-limited account blocking mechanism if automated attacks are performed. The blocking should be implemented as a general error message that prevents user enumeration. If the rate of attempts is too high, it should be slowed down, too. See https://www.omnissa.com/omsa-2025-0005 More information: https://en.wikipedia.org/wiki/Oracle_attack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2025-07-15: Vulnerability discovered 2025-07-18: Vulnerability reported to manufacturer 2025-09-10: Patch released by manufacturer 2026-02-13: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Omnissa Workspace ONE for Unified Endpoint Management https://go.omnissa.com/Workspace-ONE-for-UEM [2] SySS Security Advisory SYSS-2025-048 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-048.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Philipp Buchegger and Sebastian Auwärter of SySS GmbH. E-Mail: philipp buchegger@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Philipp_Buchegger.asc Key ID: 0x065809F0BB6747E8 Key Fingerprint: 489F 34EE FA88 27DE 69A0 756B 0658 09F0 BB67 47E8 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEESJ807vqIJ95poHVrBlgJ8LtnR+gFAmmPHT4ACgkQBlgJ8Ltn R+gTyA/5AYzrpChX3DdQmPabQWYbgsM2JaXXajtQFGRrjtKoaP9+Y/+JmgWgIO/n tJ+keexk3dF/itt8A6bH/v0w6oFPvqlZPD0xspmJHedwleSBLu9O0jeZyDzqiTZL owidTOs294kNHWqml6mHxprJIxEvmXv3sl03Z2DSRbx7NoWmQCfPLr7gqEatk5RG dfDD4cmMxnrxUY2XPlUcpBRn95buYayDKyafbKjD4gHmoH4Fcv2xQO0Ay0LbIQam Qa9IuEXFmso+dGuPJhRvvWPmIi2WfPyVKs/wXWzESAh5Zf7hS2hwJPDCj3L/3C3M pbZobxynsnE2GcxLwePXdyUd0a0xUbwa5aNNZUa/gZSA5EixcJTb6G9Boy30DjZl ljme0gJUKnpfbSGyDzulghnb+EYeglMtJnCvyMJPmJN7xEvBW0JJrg2Pmvmw+d02 BdkYidNihjPGseWHUE6EX6zTD+d30rruJjmYdsMqWgQPZiz4Neq4pdVjSC9dyUjy FqHma6J+jgSQPWmcsB1pZUf08ZXPz/7J/1FGem3PHTn4b9c8wU7H9AUdtKouNLkQ vX23xdRDXK3bm0e9JLK5jYfS9iNVsBlhCeBo34HqbnX5qYilZ76ebtRfkAfZlV6n sUOTV+OKtfsdQn2+J9Xbk+0c088832q6klkSn3cLqHBiFB/IZSY= =WkFG -----END PGP SIGNATURE-----