CVE-2025-1107

Critical

Published: 07 February 2025

Published

07 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L

EPSS Score 0.0005 15.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1107 is a critical-severity Unverified Password Change (CWE-620) vulnerability in Incibe (inferred from references). Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Restricts sensitive functions like unauthenticated password changes by explicitly identifying and authorizing only permitted actions without identification or authentication.

AC-3 Access Enforcement good match

prevent

Enforces approved access authorizations to block unauthenticated POST requests to password change endpoints.

IA-5 Authenticator Management good match

prevent

Requires secure management of authenticators including verification procedures for password changes, preventing unverified resets.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1098 Account Manipulation Persistence

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.

attack.mitre.org →

Why these techniques?

The vulnerability allows remote unauthenticated exploitation of a public-facing web endpoint to perform unauthorized password changes on arbitrary accounts, directly enabling initial access via public app exploitation and subsequent account manipulation for unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Unverified password change vulnerability in Janto, versions prior to r12. This could allow an unauthenticated attacker to change another user's password without knowing their current password. To exploit the vulnerability, the attacker must create a specific POST request and send…

it to the endpoint ‘/public/cgi/Gateway.php’.

Deeper analysisAI

CVE-2025-1107 is an unverified password change vulnerability in Janto versions prior to r12. The issue resides in the endpoint '/public/cgi/Gateway.php', where an attacker can submit a specific POST request to change another user's password without verifying or knowing the current password. Published on 2025-02-07, it is linked to CWE-620 and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L), indicating critical severity due to its network accessibility, lack of privileges or user interaction needed, and impacts across confidentiality, integrity, and availability with changed scope.

Unauthenticated attackers can exploit this vulnerability remotely by crafting and sending the malicious POST request to the vulnerable endpoint. Exploitation requires low complexity and enables full password reset for any targeted user account, granting the attacker unauthorized access to that account and potentially broader system compromise depending on user privileges.

The INCIBE-CERT advisory on multiple vulnerabilities in Janto, available at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-janto, provides further details on this issue among others affecting the software.