LiveActive security incident?Get immediate response
CVE Record

CVE-2021-3825: Missing Authorization Checks in LiderAhenk

On 2.1.15 version and below of Lider module in LiderAhenk software is leaking it's configurations via an unsecured API. An attacker with an access to the configurations API could get valid LDAP credentials.

CriticalCVSS 9.6Not KEV-listedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

CVE-2021-3825 affects the Lider module in LiderAhenk 2.1.15 and below. An unsecured configurations API can expose valid LDAP credentials. For an organization using this software, the business risk is credential theft that could enable broader directory or endpoint compromise.

Executive priority

Treat this as urgent if LiderAhenk is deployed. The primary risk is leakage of LDAP credentials, which can become a gateway to wider organizational compromise. Prioritize inventory, exposure reduction, vendor guidance review, and credential rotation where exposure is confirmed.

Technical view

The issue is a missing authorization check, mapped to CWE-306. The CVSS 3.1 score is 9.6 with adjacent-network attack vector, no privileges, and no user interaction. Sources state the API can leak configuration data including LDAP credentials, with high confidentiality, integrity, and availability impact.

Likely exposure

Likely exposure is limited to organizations running TUBITAK Lider/LiderAhenk, specifically Lider module 2.1.15 or below, where the configurations API is reachable. The sources do not establish general internet exposure. The CVE affected-product metadata is incomplete, so local inventory and vendor confirmation are important.

Exploitation context

CISA KEV is not indicated in the provided data, and no cited source confirms active exploitation. A public research blog is referenced. The vulnerability does not require authentication or user interaction, but the CVSS vector indicates adjacent-network access rather than fully remote internet access.

Researcher notes

Evidence is strong on vulnerability class and impact, but incomplete on exact affected package metadata and remediation. The CVE description names Lider module 2.1.15 and below, while affected-version fields are sparse. Avoid assuming internet exploitability; CVSS states adjacent network.

Mitigation direction

  • Check TUBITAK, USOM, or national advisory guidance for fixed versions or official mitigations.
  • Identify and upgrade or retire Lider module versions 2.1.15 and below if vendor guidance confirms remediation.
  • Restrict access to the configurations API to trusted administrative networks only.
  • Rotate exposed LDAP credentials after containment and remediation.
  • Review LDAP permissions tied to LiderAhenk for unnecessary privilege.

Validation and detection

  • Inventory LiderAhenk deployments and record Lider module versions.
  • Confirm whether any instance is version 2.1.15 or below.
  • Determine which networks can reach the configurations API.
  • Review access logs for suspicious or unauthenticated configuration API access.
  • Audit LDAP accounts used by LiderAhenk for unexpected activity.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-306: Credential and account abuse lookup

Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2021-3825 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
9.6 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
1ADP providers
4Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
9.6CVSS 3.1CriticalCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H2.86TR-CERT

Vulnerability scoring details

Base CVSS 3.1 score

9.6Critical
CVSS 3.1 vector shape for CVE-2021-3825Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
TUBITAKLiderunspecifiedunaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-306 · source CWE mapping

Missing Authentication for Critical Function

Missing Authentication for Critical Function represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.