CVE-2025-1270
Published: 13 February 2025
Summary
CVE-2025-1270 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Anapi H6Web. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Local Accounts (T1078.003); ranked at the 26.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-1270 is an Insecure Direct Object Reference (IDOR) vulnerability, mapped to CWE-639, in Anapi Group's h6web application. The issue affects the "/h6web/ha_datos_hermano.php" endpoint, where an authenticated attacker can modify the "pkrelated" parameter in a POST request to reference another user's data, enabling unauthorized access to other users' information.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows initial access to other users' information and impersonation via the first request. Subsequent requests are then executed with the privileges of the impersonated user, resulting in a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L), with high confidentiality impact, changed scope, and limited integrity and availability impacts.
INCIBE-CERT has published an advisory on multiple vulnerabilities in Anapi Group h6web, including CVE-2025-1270. Practitioners should refer to https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-anapi-group-h6web for details on mitigation strategies and any available patches.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2100
- 🇪🇸 INCIBE: www.incibe.es
Vulnerability details
Insecure direct object reference (IDOR) vulnerability in Anapi Group's h6web, allows an authenticated attacker to access other users' information by making a POST request and modifying the “pkrelated” parameter in the “/h6web/ha_datos_hermano.php” endpoint to refer to another user. In addition,…
more
the first request could also allow the attacker to impersonate other users. As a result, all requests made after exploitation of the IDOR vulnerability will be executed with the privileges of the impersonated user.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR enables authenticated impersonation of other local accounts (T1078.003) and exploitation of the public-facing web app for unauthorized data access (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 requires enforcement of approved authorizations for access to information and resources, directly preventing IDOR exploitation by blocking unauthorized access via manipulated 'pkrelated' parameters.
AC-24 mandates verification and enforcement of access control decisions using policies like ABAC or RBAC, ensuring checks for user ownership before accessing objects referenced by parameters.
AC-6 applies least privilege to limit the impact of impersonation by restricting privileges executable after IDOR exploitation to only necessary ones.