Skip to main content
Emerging Threats

GMOD Apollo: A New Era in Gaming Modifications

GMOD Apollo: A New Era in Gaming Modifications

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: GMOD
  • Equipment: Apollo
  • Vulnerabilities: Incorrect Privilege Assignment, Relative Path Traversal, Missing Authentication for Critical Function, Generation of Error Message Containing Sensitive Information

2. RISK EVALUATION

The vulnerabilities identified in GMOD Apollo present significant risks to users and organizations. Successful exploitation could enable attackers to escalate privileges, bypass authentication mechanisms, upload malicious files, or disclose sensitive information. The potential for remote exploitation with low complexity increases the urgency for users to address these vulnerabilities promptly.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following GMOD products are affected:

  • Apollo: All versions prior to 2.8.0

3.2 VULNERABILITY OVERVIEW

3.2.1 Incorrect Privilege Assignment CWE-266

This vulnerability arises from insufficient logical or access checks when updating user information, allowing attackers to escalate privileges. The assigned CVE-2025-21092 has a CVSS v3.1 base score of 6.5 and a CVSS v4 score of 7.1, indicating a moderate to high risk of exploitation.

3.2.2 Relative Path Traversal CWE-23

The application fails to check for path traversal vulnerabilities when unzipping files uploaded via the web interface. This oversight could allow attackers to manipulate file paths and access unauthorized data. CVE-2025-23410 has a CVSS v3.1 base score of 9.8 and a CVSS v4 score of 9.3, highlighting its critical nature.

3.2.3 Missing Authentication for Critical Function CWE-306

Certain functionalities within GMOD Apollo do not require authentication when accessed with an administrative username, creating a significant security gap. CVE-2025-24924 has a CVSS v3.1 base score of 9.8 and a CVSS v4 score of 9.3, indicating a high risk of unauthorized access.

3.2.4 Generation of Error Message Containing Sensitive Information CWE-209

When users attempt to upload files that do not meet the required criteria, GMOD Apollo discloses local path information, which could be exploited by attackers. CVE-2025-20002 has a CVSS v3.1 base score of 5.3 and a CVSS v4 score of 6.9, indicating a moderate risk of information leakage.

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Food and Agriculture, Government Services and Facilities, Healthcare and Public Health
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

The vulnerabilities were reported to GMOD by the Cybersecurity and Infrastructure Security Agency (CISA).

4. MITIGATIONS

GMOD recommends that users update to the latest version, 2.8.0, to mitigate these vulnerabilities. CISA also advises implementing defensive measures to minimize the risk of exploitation, including:

  • Minimize network exposure: Ensure that all control system devices are not accessible from the Internet.
  • Network isolation: Place control system networks and remote devices behind firewalls, isolating them from business networks.
  • Secure remote access: Use secure methods such as Virtual Private Networks (VPNs) for remote access, while recognizing that VPNs may have vulnerabilities and should be kept updated.

CISA emphasizes the importance of conducting proper impact analysis and risk assessments before deploying defensive measures. Organizations are encouraged to follow established procedures for reporting suspected malicious activity to CISA.

As of now, no known public exploitation targeting these vulnerabilities has been reported to CISA.

5. UPDATE HISTORY

  • March 4, 2025: Initial Publication