RCE in SecOps SOAR server via user-provided Python packages

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear

Description

A vulnerability exists in the SecOps SOAR server. The custom integrations feature allowed an authenticated user with an "IDE role" to achieve Remote Code Execution (RCE) in the server. The flaw stemmed from weak validation of uploaded Python package code. An attacker could upload a package containing a malicious setup.py file, which would execute on the server during the installation process, leading to potential server compromise.

No customer action is required.

All customers have been automatically upgraded to the fixed version: 6.3.64 or higher.

Basic Information

ID CVE-2025-13428

Source GoogleCloud

Published Dec 9, 2025 at 06:28

Affected Product

Vendor Google Cloud

Product Google Cloud SecOps SOAR

Affected Versions Google Cloud Google Cloud SecOps SOAR 0

CWE Classification

CWE-20

References

cloud.google.com /support/bulletins

{
    "lastseen": "",
    "description": "A vulnerability exists in the SecOps SOAR server. The custom integrations feature allowed an authenticated user with an \"IDE role\" to achieve Remote Code Execution (RCE) in the server. The flaw stemmed from weak validation of uploaded Python package code. An attacker could upload a package containing a malicious setup.py file, which would execute on the server during the installation process, leading to potential server compromise.\n\nNo customer action is required. \n\n\nAll customers have been automatically upgraded to the fixed version: 6.3.64 or higher.",
    "published": "2025-12-09T06:28:08.928Z",
    "modified": "2025-12-09T06:28:08.928Z",
    "type": "cve",
    "title": "RCE in SecOps SOAR server via user-provided Python packages",
    "source": "GoogleCloud",
    "references": "https://cloud.google.com/support/bulletins#gcp-2025-075",
    "id": "CVE-2025-13428",
    "bulletinFamily": "",
    "cwe": [
        "CWE-20"
    ],
    "cvelist": null,
    "sourceData": "Google Cloud Google Cloud SecOps SOAR 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Google Cloud SecOps SOAR",
    "version": "0",
    "vendor": "Google Cloud",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

RCE in SecOps SOAR server via user-provided Python packages_CVE-2025-13428