CVE-2025-1226
Published: 12 February 2025
Summary
CVE-2025-1226 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in R1Bbit Yimioa. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of the improper authorization flaw in /oa/setup/setup.jsp by upgrading to ywoa version 2024.07.04.
Mandates enforcement of approved authorizations for access to system resources like /oa/setup/setup.jsp, directly countering the improper authorization vulnerability.
Limits and documents permitted actions without identification or authentication, ensuring sensitive setup functionality requires authentication to prevent unauthenticated remote exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-1226 is an improper authorization vulnerability in the public-facing web application endpoint /oa/setup/setup.jsp, exploitable remotely without authentication, directly enabling T1190: Exploit Public-Facing Application.
NVD Description
A vulnerability was found in ywoa up to 2024.07.03. It has been declared as critical. This vulnerability affects unknown code of the file /oa/setup/setup.jsp. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been…
more
disclosed to the public and may be used. Upgrading to version 2024.07.04 is able to address this issue. It is recommended to upgrade the affected component.
Deeper analysisAI
CVE-2025-1226 is a vulnerability affecting ywoa versions up to 2024.07.03, specifically in the unknown code of the file /oa/setup/setup.jsp. It involves improper authorization, mapped to CWE-266 and CWE-285, and has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). The issue allows remote manipulation and has been declared critical despite the medium CVSS rating.
Unauthenticated remote attackers (PR:N) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction required (UI:N), achieving a low impact on confidentiality (C:L) with no integrity or availability disruption (I:N/A:N). The exploit has been publicly disclosed and may be used by attackers targeting affected instances.
Advisories recommend upgrading to ywoa version 2024.07.04 to address the issue. Relevant references include the issue tracker at https://gitee.com/r1bbit/yimioa/issues/IBI7PG and VulDB entries at https://vuldb.com/?ctiid.295216 and https://vuldb.com/?id.295216.
Details
- CWE(s)