Cyber Resilience

CVE-2025-0586

HighRCE

Published: 20 January 2025

Published
20 January 2025
Modified
17 November 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0236 85.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0586 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Aenrich A\+Hrd. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

The a+HRD application from aEnrich Technology is affected by an insecure deserialization vulnerability (CWE-502) that enables remote code execution. The flaw is tracked as CVE-2025-0586 and carries a CVSS 3.1 score of 7.2, reflecting network-accessible attack vectors with high impact on confidentiality, integrity, and availability when successfully exploited.

Attackers who already hold database modification privileges along with regular system-level access can leverage the issue to execute arbitrary code on the target system. No additional user interaction or special UI conditions are required beyond those privilege levels.

Public advisories published by the Taiwan Computer Emergency Response Team (TW-CERT) on 20 January 2025 contain further details and are available at the referenced URLs. The current EPSS score of 0.0175, with a recorded peak of 0.0253, indicates persistently low exploitation probability.

EU & UK References

Vulnerability details

The a+HRD from aEnrich Technology has an Insecure Deserialization vulnerability, allowing remote attackers with database modification privileges and regular system privileges to perform arbitrary code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Insecure deserialization (CWE-502) in a network-accessible application directly enables remote arbitrary code execution by an authenticated attacker.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-0585Same product: Aenrich A\+Hrd
CVE-2025-12870Same product: Aenrich A\+Hrd
CVE-2025-12871Same product: Aenrich A\+Hrd
CVE-2024-13770Shared CWE-502
CVE-2026-27303Shared CWE-502
CVE-2025-53586Shared CWE-502
CVE-2025-64353Shared CWE-502
CVE-2025-31047Shared CWE-502
CVE-2026-27096Shared CWE-502
CVE-2023-49886Shared CWE-502

Affected Assets

aenrich
a\+hrd
≤ 7.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the insecure deserialization flaw in a+HRD by requiring timely identification, testing, and installation of patches or upgrades for known vulnerabilities like CVE-2025-0586.

prevent

Enforces least privilege to restrict users from obtaining both database modification privileges and regular system privileges prerequisite for remote exploitation.

prevent

Mandates validation of information inputs, including database content, to detect and block malicious payloads prior to insecure deserialization processing.

References