Cyber Resilience

CVE-2025-0456

Critical

Published: 16 January 2025

Published
16 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0156 81.9th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0456 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Org (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

The vulnerability CVE-2025-0456 is a missing authentication flaw (CWE-306) in the airPASS product from NetVision Information. It enables unauthenticated remote access to administrative functionality that can retrieve all accounts and passwords. The issue received a CVSS v3.1 base score of 9.8, driven by network attack vector, low complexity, and no required privileges or user interaction.

An unauthenticated attacker anywhere on the network can directly invoke the exposed administrative endpoints to extract the full set of credentials, resulting in complete loss of confidentiality, integrity, and availability on the affected installation.

TW-CERT has published coordinated advisories detailing the vulnerability at the referenced URLs.

The associated EPSS score remains low and unchanged at 0.0156 from disclosure through the present.

EU & UK References

Vulnerability details

The airPASS from NetVision Information has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access the specific administrative functionality to retrieve * all accounts and passwords.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authentication on public-facing admin interface directly enables remote exploitation for credential access and full compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21515Shared CWE-306
CVE-2025-57432Shared CWE-306
CVE-2026-27446Shared CWE-306
CVE-2026-21446Shared CWE-306
CVE-2021-47891Shared CWE-306
CVE-2025-41715Shared CWE-306
CVE-2026-24790Shared CWE-306
CVE-2025-21524Shared CWE-306
CVE-2025-53072Shared CWE-306
CVE-2025-40771Shared CWE-306

Affected Assets

Org
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 explicitly identifies and restricts administrative actions without identification or authentication, directly preventing exploitation of the missing authentication vulnerability in airPASS administrative functionality.

prevent

AC-3 enforces approved access control policies requiring authentication for sensitive resources, mitigating unauthenticated access to retrieve accounts and passwords.

prevent

IA-8 mandates identification and authentication for non-organizational users before remote connections, blocking unauthenticated remote attackers from exploiting the airPASS vulnerability.

References