Cyber Resilience

CVE-2023-25913

High

Published: 21 August 2023

Published
21 August 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0010 27.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-25913 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Danfoss Ak-Sm 800A Firmware. Its CVSS base score is 7.5 (High).

Operationally, ranked at the 27.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Because of an authentication flaw an attacker would be capable of generating a web report that discloses sensitive information such as internal IP addresses, usernames, store names and other sensitive information.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

danfoss
ak-sm 800a firmware
≤ 3.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-200 CWE-287

Literacy training teaches users to recognize and avoid actions that result in unauthorized exposure of sensitive information.

addresses: CWE-200 CWE-287

Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.

addresses: CWE-200 CWE-287

Audit record review and analysis can detect unauthorized exposure or access to sensitive information.

addresses: CWE-287 CWE-200

Penetration testing probes authentication mechanisms for bypasses, allowing identification and fixing of improper authentication issues.

addresses: CWE-200 CWE-287

The integrated analysis team enables faster detection and containment of incidents involving unauthorized exposure of sensitive information, limiting attacker success in exploiting such weaknesses.

addresses: CWE-287 CWE-200

Security architectures must specify authentication requirements and approaches, making systemic authentication weaknesses harder to introduce.

addresses: CWE-200 CWE-287

Trained staff understand data-handling requirements and are less likely to expose sensitive information through misconfiguration or poor design.

addresses: CWE-287 CWE-200

Hunting detects anomalous authentication patterns or successful bypasses that allow persistent unauthorized entry.

References