Cyber Resilience

CVE-2025-0745

High

Published: 30 January 2025

Published
30 January 2025
Modified
08 October 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0008 23.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0745 is a high-severity Improper Access Control (CWE-284) vulnerability in Thesamur Embedai. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-22 (Publicly Accessible Content).

Deeper analysis

CVE-2025-0745 is an Improper Access Control vulnerability (CWE-284) affecting EmbedAI versions 2.1 and below. Published on 2025-01-30, it enables access to database backups via the "/embedai/app/uploads/database/<SQL_FILE>" endpoint. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility, low attack complexity, no privileges or user interaction required, and unchanged scope.

An authenticated attacker can exploit this vulnerability by directly requesting the vulnerable endpoint, allowing them to obtain sensitive database backups. This exposure could reveal critical data stored in the database, such as user information or application configurations, depending on the contents of the SQL files.

The INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-embedai provides details on this and other vulnerabilities in EmbedAI, including recommendations for mitigation. Security practitioners should consult the advisory for patching instructions and workarounds specific to affected deployments.

EU & UK References

Vulnerability details

An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to obtain the backups of the database by requesting the "/embedai/app/uploads/database/<SQL_FILE>" endpoint.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

The improper access control vulnerability in the web application enables exploitation of a public-facing application (T1190) and unauthorized collection of sensitive data from database backups (T1213.006).

CVEs Like This One

CVE-2025-0739Same product: Thesamur Embedai
CVE-2025-0744Same product: Thesamur Embedai
CVE-2025-0740Same product: Thesamur Embedai
CVE-2025-0747Same product: Thesamur Embedai
CVE-2026-39339Shared CWE-284
CVE-2026-46839Shared CWE-284
CVE-2025-26010Shared CWE-284
CVE-2026-34291Shared CWE-284
CVE-2023-47539Shared CWE-284
CVE-2026-23899Shared CWE-284

Affected Assets

thesamur
embedai
≤ 2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved access control policies to prevent unauthorized retrieval of sensitive database backups via the vulnerable endpoint.

prevent

Limits access to database backups to the minimum privileges required, mitigating exploitation by authenticated or low-privileged attackers.

prevent

Restricts public access to sensitive system-generated content like database backups exposed through web endpoints.

References