CVE-2025-11151
Published: 21 October 2025
Summary
CVE-2025-11151 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Gov (inferred from references). Its CVSS base score is 8.2 (High).
Operationally, ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-35173
Vulnerability details
Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Beyaz Bilgisayar Software Design Industry and Trade Ltd. Co. CityPLus allows Detect Unpublicized Web Pages. This issue affects CityPLus: before…
more
V24.29500.1.0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Review and removal of nonpublic information from publicly accessible systems directly prevents exposure of sensitive data to unauthorized actors.
Data mining protection mechanisms detect and block unauthorized bulk extraction of sensitive data, directly mitigating exposure to unauthorized actors.
Documenting information locations and authorized users enables better protection against unauthorized exposure of sensitive data.
Shielding or other emanation protections directly prevent sensitive information from reaching unauthorized actors via electromagnetic signals.
Minimizing PII in testing/training/research directly reduces the volume of sensitive data present in environments where it could be exposed to unauthorized actors.
Categorization identifies sensitive data so that confidentiality protections commensurate with impact level are selected and documented.
Concealment techniques directly prevent real sensitive data from being exposed to adversaries.
Restricts error message visibility to authorized recipients, directly reducing unauthorized exposure of sensitive information.