CVE-2025-1144

Critical

Published: 11 February 2025

Published

11 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0035 57.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1144 is a critical-severity Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) vulnerability in Org (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Directly limits and documents user actions permitted without identification or authentication, preventing exposure of sensitive database information and plaintext admin credentials on unauthenticated pages.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources, blocking unauthenticated attackers from viewing sensitive pages containing database data and admin credentials.

IA-8 Identification and Authentication (Non-organizational Users) good match

prevent

Requires identification and authentication for non-organizational users, mitigating remote unauthenticated access to critical system pages exposing sensitive information.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1552 Unsecured Credentials Credential Access

Adversaries may search compromised systems to find and obtain insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Direct unauthenticated remote exposure of plaintext admin credentials and DB contents via public-facing web app enables T1190 (Exploit Public-Facing Application) for initial access and T1552 (Unsecured Credentials) for credential access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

School Affairs System from Quanxun has an Exposure of Sensitive Information, allowing unauthenticated attackers to view specific pages and obtain database information as well as plaintext administrator credentials.

Deeper analysisAI

CVE-2025-1144, published on 2025-02-11, is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in the School Affairs System from Quanxun. Classified under CWE-497 (Exposure of Sensitive Information), it enables unauthenticated attackers to access specific pages, exposing database information and plaintext administrator credentials.

Remote unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation grants access to sensitive database contents and administrator credentials in plaintext, resulting in high impacts to confidentiality, integrity, and availability.

Advisories from TWCERT provide further details on the vulnerability, available at https://www.twcert.org.tw/en/cp-139-8416-b6cba-2.html and https://www.twcert.org.tw/tw/cp-132-8415-853e0-1.html.