Cyber Resilience

CVE-2025-12049

Critical

Published: 22 December 2025

Published
22 December 2025
Modified
15 January 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0029 20.1th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-12049 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Sharp Mp-01 Firmware. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-22 (Publicly Accessible Content).

Deeper analysis

CVE-2025-12049 is a Missing Authentication for Critical Function vulnerability (CWE-306) affecting all versions of the Sharp Display Solutions Media Player MP-01. Published on 2025-12-22, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to the lack of authentication mechanisms protecting sensitive operations.

A network-accessible attacker requires no privileges, user interaction, or special conditions to exploit this vulnerability. Successful exploitation grants unauthorized access to the device's web interface, enabling the attacker to change settings, perform arbitrary operations, and deliver content from authoring software without authentication.

Mitigation details are available in the vendor advisory at https://sharp-displays.jp.sharp/global/support/info/MP01-CVE-2025-12049.html.

EU & UK References

Vulnerability details

Missing Authentication for Critical Function vulnerability in Sharp Display Solutions Media Player MP-01 All Verisons allows a attacker may access to the web interface of the affected product without authentication and change settings or perform other operations, and deliver content…

more

from the authoring software to the affected product without authentication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows network-accessible exploitation of a public-facing web interface with missing authentication, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-11541Same vendor: Sharp
CVE-2025-11542Same vendor: Sharp
CVE-2026-4640Shared CWE-306
CVE-2026-24728Shared CWE-306
CVE-2026-22788Shared CWE-306
CVE-2025-54816Shared CWE-306
CVE-2026-39393Shared CWE-306
CVE-2026-24177Shared CWE-306
CVE-2026-31882Shared CWE-306
CVE-2026-35523Shared CWE-306

Affected Assets

sharp
mp-01 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 requires identification and restriction of critical actions performable without authentication, directly preventing unauthorized access to the web interface's sensitive functions.

prevent

AC-22 mandates restrictions on transactions over publicly accessible systems without identification or authentication, mitigating changes to settings via the exposed web interface.

prevent

IA-8 enforces unique identification and authentication for non-organizational users, countering unauthenticated access by external attackers to the device's web interface.

References