Actively Exploited in the Wild

This vulnerability is being actively exploited in the wild.

Primary

Context

Mersive Solstice Pod Unauthenticated API Endpoint Information Disclosure Vulnerability

Vulnerability

Exploited

An unauthenticated API endpoint in Mersive Solstice Pod versions 5.5 and 6.2 exposes sensitive information, including the session key, server version, product details, and display name. Unauthorized users can access this endpoint to extract live session information without authentication.

Impact

Exploitation of this vulnerability allows unauthorized users to access sensitive session information, which could lead to further exploitation or unauthorized access.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/api/config' endpoint on a Solstice Pod server. This request can be made without any authentication, and it will return a JSON response containing the session key, server version, product name, product variant, and display name.

Added: Dec 4, 2025, 9:20 PM

Updated: Dec 4, 2025, 9:20 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

2.5

exploitability

9.4

remediation

0.0

relevance

1.3

threat

8.0

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

2.5

exploitability

9.4

remediation

0.0

relevance

1.3

threat

8.0

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Actively Exploited in the Wild

Mersive Solstice Pod Unauthenticated API Endpoint Information Disclosure Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

Mersive Solstice Pod

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating