Impact

The Opto22 Groov Manage maintenance application endpoint is vulnerable to remote code execution. This means an attacker can create a specially crafted request that when executed will achieve remote code execution in the context of the Opto Edge web application which is running as root.

Vulnerability Description

When a POST request is executed against the /manage/api/v1/maintenance/update/apply endpoint, the application reads the uploader-file-id header from the request and unsafely uses this value to build a command to delete a file- allowing an attacker to inject arbitrary commands which execute as root.

Identification and Remediation

This issue was identified during a Red Team X assessment and is disclosed in ​CVE-2025-13087. This issue has since been resolved and a fix has been made available for customers.