CVE-2025-0586
Published: 20 January 2025
Summary
CVE-2025-0586 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Aenrich A\+Hrd. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Deeper analysis
The a+HRD application from aEnrich Technology is affected by an insecure deserialization vulnerability (CWE-502) that enables remote code execution. The flaw is tracked as CVE-2025-0586 and carries a CVSS 3.1 score of 7.2, reflecting network-accessible attack vectors with high impact on confidentiality, integrity, and availability when successfully exploited.
Attackers who already hold database modification privileges along with regular system-level access can leverage the issue to execute arbitrary code on the target system. No additional user interaction or special UI conditions are required beyond those privilege levels.
Public advisories published by the Taiwan Computer Emergency Response Team (TW-CERT) on 20 January 2025 contain further details and are available at the referenced URLs. The current EPSS score of 0.0175, with a recorded peak of 0.0253, indicates persistently low exploitation probability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1782
Vulnerability details
The a+HRD from aEnrich Technology has an Insecure Deserialization vulnerability, allowing remote attackers with database modification privileges and regular system privileges to perform arbitrary code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insecure deserialization (CWE-502) in a network-accessible application directly enables remote arbitrary code execution by an authenticated attacker.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the insecure deserialization flaw in a+HRD by requiring timely identification, testing, and installation of patches or upgrades for known vulnerabilities like CVE-2025-0586.
Enforces least privilege to restrict users from obtaining both database modification privileges and regular system privileges prerequisite for remote exploitation.
Mandates validation of information inputs, including database content, to detect and block malicious payloads prior to insecure deserialization processing.