Cyber Resilience

CVE-2025-1270

Critical

Published: 13 February 2025

Published
13 February 2025
Modified
29 January 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
EPSS Score 0.0009 26.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1270 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Anapi H6Web. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Local Accounts (T1078.003); ranked at the 26.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-1270 is an Insecure Direct Object Reference (IDOR) vulnerability, mapped to CWE-639, in Anapi Group's h6web application. The issue affects the "/h6web/ha_datos_hermano.php" endpoint, where an authenticated attacker can modify the "pkrelated" parameter in a POST request to reference another user's data, enabling unauthorized access to other users' information.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows initial access to other users' information and impersonation via the first request. Subsequent requests are then executed with the privileges of the impersonated user, resulting in a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L), with high confidentiality impact, changed scope, and limited integrity and availability impacts.

INCIBE-CERT has published an advisory on multiple vulnerabilities in Anapi Group h6web, including CVE-2025-1270. Practitioners should refer to https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-anapi-group-h6web for details on mitigation strategies and any available patches.

EU & UK References

Vulnerability details

Insecure direct object reference (IDOR) vulnerability in Anapi Group's h6web, allows an authenticated attacker to access other users' information by making a POST request and modifying the “pkrelated” parameter in the “/h6web/ha_datos_hermano.php” endpoint to refer to another user. In addition,…

more

the first request could also allow the attacker to impersonate other users. As a result, all requests made after exploitation of the IDOR vulnerability will be executed with the privileges of the impersonated user.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.003 Local Accounts Stealth
Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

IDOR enables authenticated impersonation of other local accounts (T1078.003) and exploitation of the public-facing web app for unauthorized data access (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-50693Shared CWE-639
CVE-2025-69394Shared CWE-639
CVE-2026-41471Shared CWE-639
CVE-2025-58402Shared CWE-639
CVE-2025-68051Shared CWE-639
CVE-2026-4503Shared CWE-639
CVE-2026-43890Shared CWE-639
CVE-2026-25563Shared CWE-639
CVE-2024-8261Shared CWE-639
CVE-2026-3321Shared CWE-639

Affected Assets

anapi
h6web
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires enforcement of approved authorizations for access to information and resources, directly preventing IDOR exploitation by blocking unauthorized access via manipulated 'pkrelated' parameters.

prevent

AC-24 mandates verification and enforcement of access control decisions using policies like ABAC or RBAC, ensuring checks for user ownership before accessing objects referenced by parameters.

prevent

AC-6 applies least privilege to limit the impact of impersonation by restricting privileges executable after IDOR exploitation to only necessary ones.

References