CVE-2025-1270
Published: 13 February 2025
Summary
CVE-2025-1270 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Anapi H6Web. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Local Accounts (T1078.003); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires enforcement of approved authorizations for access to information and resources, directly preventing IDOR exploitation by blocking unauthorized access via manipulated 'pkrelated' parameters.
AC-24 mandates verification and enforcement of access control decisions using policies like ABAC or RBAC, ensuring checks for user ownership before accessing objects referenced by parameters.
AC-6 applies least privilege to limit the impact of impersonation by restricting privileges executable after IDOR exploitation to only necessary ones.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR enables authenticated impersonation of other local accounts (T1078.003) and exploitation of the public-facing web app for unauthorized data access (T1190).
NVD Description
Insecure direct object reference (IDOR) vulnerability in Anapi Group's h6web, allows an authenticated attacker to access other users' information by making a POST request and modifying the “pkrelated” parameter in the “/h6web/ha_datos_hermano.php” endpoint to refer to another user. In addition,…
more
the first request could also allow the attacker to impersonate other users. As a result, all requests made after exploitation of the IDOR vulnerability will be executed with the privileges of the impersonated user.
Deeper analysisAI
CVE-2025-1270 is an Insecure Direct Object Reference (IDOR) vulnerability, mapped to CWE-639, in Anapi Group's h6web application. The issue affects the "/h6web/ha_datos_hermano.php" endpoint, where an authenticated attacker can modify the "pkrelated" parameter in a POST request to reference another user's data, enabling unauthorized access to other users' information.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows initial access to other users' information and impersonation via the first request. Subsequent requests are then executed with the privileges of the impersonated user, resulting in a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L), with high confidentiality impact, changed scope, and limited integrity and availability impacts.
INCIBE-CERT has published an advisory on multiple vulnerabilities in Anapi Group h6web, including CVE-2025-1270. Practitioners should refer to https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-anapi-group-h6web for details on mitigation strategies and any available patches.
Details
- CWE(s)