CVE-2025-0456
Published: 16 January 2025
Summary
CVE-2025-0456 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Org (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
The vulnerability CVE-2025-0456 is a missing authentication flaw (CWE-306) in the airPASS product from NetVision Information. It enables unauthenticated remote access to administrative functionality that can retrieve all accounts and passwords. The issue received a CVSS v3.1 base score of 9.8, driven by network attack vector, low complexity, and no required privileges or user interaction.
An unauthenticated attacker anywhere on the network can directly invoke the exposed administrative endpoints to extract the full set of credentials, resulting in complete loss of confidentiality, integrity, and availability on the affected installation.
TW-CERT has published coordinated advisories detailing the vulnerability at the referenced URLs.
The associated EPSS score remains low and unchanged at 0.0156 from disclosure through the present.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1684
Vulnerability details
The airPASS from NetVision Information has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access the specific administrative functionality to retrieve * all accounts and passwords.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication on public-facing admin interface directly enables remote exploitation for credential access and full compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-14 explicitly identifies and restricts administrative actions without identification or authentication, directly preventing exploitation of the missing authentication vulnerability in airPASS administrative functionality.
AC-3 enforces approved access control policies requiring authentication for sensitive resources, mitigating unauthenticated access to retrieve accounts and passwords.
IA-8 mandates identification and authentication for non-organizational users before remote connections, blocking unauthenticated remote attackers from exploiting the airPASS vulnerability.