Cyber Resilience

CVE-2025-0744

High

Published: 30 January 2025

Published
30 January 2025
Modified
08 October 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0007 22.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0744 is a high-severity Improper Access Control (CWE-284) vulnerability in Thesamur Embedai. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 22.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-0744 is an Improper Access Control vulnerability (CWE-284) in EmbedAI versions 2.1 and below. The issue allows an authenticated attacker to change their subscription plan without paying by sending a POST request with modified parameters to the "/demos/embedai/pmt_cash_on_delivery/pay" endpoint. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high integrity impact with no confidentiality or availability effects.

An authenticated attacker can exploit this vulnerability remotely over the network with low complexity. By crafting and submitting a POST request to the specified endpoint with altered parameters, the attacker can upgrade their subscription tier without completing payment, gaining unauthorized access to premium features.

Mitigation details are available in the INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-embedai, which covers this and other vulnerabilities in EmbedAI.

EU & UK References

Vulnerability details

an Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker change his subscription plan without paying by making a POST request changing the parameters of the "/demos/embedai/pmt_cash_on_delivery/pay" endpoint.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Improper access control enables unauthorized subscription plan changes (account manipulation, T1098) through exploitation of the public-facing web application endpoint (T1190).

CVEs Like This One

CVE-2025-0745Same product: Thesamur Embedai
CVE-2025-0739Same product: Thesamur Embedai
CVE-2025-0740Same product: Thesamur Embedai
CVE-2025-0747Same product: Thesamur Embedai
CVE-2025-27646Shared CWE-284
CVE-2025-22940Shared CWE-284
CVE-2024-46432Shared CWE-284
CVE-2026-39339Shared CWE-284
CVE-2026-46839Shared CWE-284
CVE-2025-26010Shared CWE-284

Affected Assets

thesamur
embedai
≤ 2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations on endpoints like the payment processing one to prevent authenticated users from making unauthorized subscription changes.

prevent

Validates POST request parameters at the application layer to reject tampered inputs that attempt to upgrade subscriptions without payment.

prevent

Limits authenticated users to privileges matching their paid subscription tier, reducing the impact of access control bypasses on premium features.

References