CVE-2025-13084

Opto 22 groov View Exposure of Sensitive Information Through Metadata

CVSS 6.1 MEDIUMEPSS 0.2%CWE-1230

In short

The groov View API exposes users' API keys through a public endpoint that requires only Editor-level access. An attacker with Editor permissions can retrieve secret API keys for all users, including administrators, compromising account security.

Technical detail

The /users endpoint in groov View API returns sensitive metadata including plaintext or insufficiently protected API keys for all users regardless of role hierarchy. An authenticated attacker with Editor privileges can enumerate and extract API credentials for administrative accounts, leading to unauthorized access and privilege escalation.

Summary generated and translated by AI from the official description.

The users endpoint in the groov View API returns a list of all users and associated metadata including their API keys. This endpoint requires an Editor role to access and will display API keys for all users, including Administrators.

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Affected products

Opto 22 · groov View Server Opto 22 · GRV-EPIC-PR1 Firmware Opto 22 · GRV-EPIC-PR2 Firmware

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-04.json https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-04 https://www.opto22.com/support/resources-tools/knowledgebase/kb91325