CVE-2025-0745
Published: 30 January 2025
Summary
CVE-2025-0745 is a high-severity Improper Access Control (CWE-284) vulnerability in Thesamur Embedai. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-22 (Publicly Accessible Content).
Deeper analysis
CVE-2025-0745 is an Improper Access Control vulnerability (CWE-284) affecting EmbedAI versions 2.1 and below. Published on 2025-01-30, it enables access to database backups via the "/embedai/app/uploads/database/<SQL_FILE>" endpoint. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility, low attack complexity, no privileges or user interaction required, and unchanged scope.
An authenticated attacker can exploit this vulnerability by directly requesting the vulnerable endpoint, allowing them to obtain sensitive database backups. This exposure could reveal critical data stored in the database, such as user information or application configurations, depending on the contents of the SQL files.
The INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-embedai provides details on this and other vulnerabilities in EmbedAI, including recommendations for mitigation. Security practitioners should consult the advisory for patching instructions and workarounds specific to affected deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1849
- 🇪🇸 INCIBE: www.incibe.es
Vulnerability details
An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to obtain the backups of the database by requesting the "/embedai/app/uploads/database/<SQL_FILE>" endpoint.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The improper access control vulnerability in the web application enables exploitation of a public-facing application (T1190) and unauthorized collection of sensitive data from database backups (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved access control policies to prevent unauthorized retrieval of sensitive database backups via the vulnerable endpoint.
Limits access to database backups to the minimum privileges required, mitigating exploitation by authenticated or low-privileged attackers.
Restricts public access to sensitive system-generated content like database backups exposed through web endpoints.