Cyber Resilience

CVE-2025-0739

High

Published: 30 January 2025

Published
30 January 2025
Modified
10 October 2025
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0008 24.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0739 is a high-severity Improper Access Control (CWE-284) vulnerability in Thesamur Embedai. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-0739 is an Improper Access Control vulnerability (CWE-284) affecting EmbedAI version 2.1 and below. The issue resides in the endpoint "/demos/embedai/subscriptions/show/<SUSCBRIPTION_ID>", where insufficient controls allow manipulation of the SUSCBRIPTION_ID parameter. It has a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to network accessibility, low attack complexity, no required privileges or user interaction, and changed scope with high confidentiality impact.

An authenticated attacker can exploit this vulnerability by altering the SUSCBRIPTION_ID parameter in the specified endpoint to access and view subscription information belonging to other users. This enables unauthorized exposure of sensitive subscription details without impacting integrity or availability.

The primary advisory is published by INCIBE-CERT, detailing multiple vulnerabilities in EmbedAI, including this issue, available at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-embedai. Practitioners should consult this notice for additional context and recommended mitigations.

EU & UK References

Vulnerability details

An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to show subscription's information of others users by changing the "SUSCBRIPTION_ID" param of the endpoint "/demos/embedai/subscriptions/show/<SUSCBRIPTION_ID>".

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1087.004 Cloud Account Discovery
Adversaries may attempt to get a listing of cloud accounts.
Why these techniques?

CVE-2025-0739 is an improper access control (IDOR) vulnerability in a public-facing web application, enabling exploitation for initial access or post-auth data disclosure (T1190). It facilitates cloud account discovery (T1087.004) by allowing manipulation of the subscription ID parameter to access other users' subscription information.

CVEs Like This One

CVE-2025-0745Same product: Thesamur Embedai
CVE-2025-0744Same product: Thesamur Embedai
CVE-2025-0740Same product: Thesamur Embedai
CVE-2025-0747Same product: Thesamur Embedai
CVE-2026-39339Shared CWE-284
CVE-2026-46839Shared CWE-284
CVE-2025-26010Shared CWE-284
CVE-2026-34291Shared CWE-284
CVE-2023-47539Shared CWE-284
CVE-2026-23899Shared CWE-284

Affected Assets

thesamur
embedai
≤ 2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations for logical access to subscription information, directly preventing authenticated attackers from viewing other users' data by manipulating the SUBSCRIPTION_ID parameter.

prevent

AC-24 authorizes access to specific system resources like subscriptions using security attributes such as user ownership, mitigating unauthorized disclosure via IDOR.

prevent

AC-6 applies least privilege to restrict authenticated users to only their own subscription data, reducing the impact of improper access enforcement.

References