The Digital Security Authority (DSA) wants to bring to your attention a vulnerability affecting Secondary Context Path Traversal.
Technical Details
Omnissa Workspace ONE UEM contains a Secondary Context Path Traversal Vulnerability. A malicious actor may be able to gain access to sensitive information by sending crafted GET requests (read-only) to restricted API endpoints.
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within
the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Recommendations
The Digital Security Authority recommends to perform the necessary mitigation steps that can be found in Omnissa site here.
References
The information presented in this report is based on available data up to the 15th of September 2025.