Cyber Resilience

CVE-2025-1107

Critical

Published: 07 February 2025

Published
07 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L
EPSS Score 0.0005 15.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1107 is a critical-severity Unverified Password Change (CWE-620) vulnerability in Incibe (inferred from references). Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-1107 is an unverified password change vulnerability in Janto versions prior to r12. The issue resides in the endpoint '/public/cgi/Gateway.php', where an attacker can submit a specific POST request to change another user's password without verifying or knowing the current password. Published on 2025-02-07, it is linked to CWE-620 and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L), indicating critical severity due to its network accessibility, lack of privileges or user interaction needed, and impacts across confidentiality, integrity, and availability with changed scope.

Unauthenticated attackers can exploit this vulnerability remotely by crafting and sending the malicious POST request to the vulnerable endpoint. Exploitation requires low complexity and enables full password reset for any targeted user account, granting the attacker unauthorized access to that account and potentially broader system compromise depending on user privileges.

The INCIBE-CERT advisory on multiple vulnerabilities in Janto, available at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-janto, provides further details on this issue among others affecting the software.

EU & UK References

Vulnerability details

Unverified password change vulnerability in Janto, versions prior to r12. This could allow an unauthenticated attacker to change another user's password without knowing their current password. To exploit the vulnerability, the attacker must create a specific POST request and send…

more

it to the endpoint ‘/public/cgi/Gateway.php’.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

The vulnerability allows remote unauthenticated exploitation of a public-facing web endpoint to perform unauthorized password changes on arbitrary accounts, directly enabling initial access via public app exploitation and subsequent account manipulation for unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-45647Shared CWE-620
CVE-2024-12860Shared CWE-620
CVE-2024-13375Shared CWE-620
CVE-2026-40588Shared CWE-620
CVE-2026-24443Shared CWE-620
CVE-2025-63362Shared CWE-620
CVE-2026-27757Shared CWE-620
CVE-2026-24440Shared CWE-620
CVE-2024-12824Shared CWE-620
CVE-2026-30458Shared CWE-620

Affected Assets

Incibe
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Restricts sensitive functions like unauthenticated password changes by explicitly identifying and authorizing only permitted actions without identification or authentication.

prevent

Enforces approved access authorizations to block unauthenticated POST requests to password change endpoints.

prevent

Requires secure management of authenticators including verification procedures for password changes, preventing unverified resets.

References