CVE-2025-12866

Critical

Published: 10 November 2025

Published

10 November 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 28.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-12866 is a critical-severity Weak Password Recovery Mechanism for Forgotten Password (CWE-640) vulnerability in Org (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

IA-5 requires secure management of authenticators including procedures and strength of mechanism for handling lost or compromised authenticators, directly preventing weak password recovery vulnerable to prediction or brute-force.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates identification, reporting, testing, and correction of system flaws like the weak forgot password mechanism in EIP Plus.

SC-5 Denial-of-service Protection partial match

prevent

SC-5 provides denial-of-service protections such as rate limiting to mitigate brute-force attacks on the unauthenticated forgot password link.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1110 Brute Force Credential Access

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.

attack.mitre.org →

Why these techniques?

The vulnerability is in a public-facing application (T1190) allowing unauthenticated attackers to brute-force or predict password reset links (T1110), enabling arbitrary account takeovers.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

EIP Plus developed by Hundred Plus has a Weak Password Recovery Mechanism vulnerability, allowing unauthenticated remote attacker to predict or brute-force the 'forgot password' link, thereby successfully resetting any user's password.

Deeper analysisAI

CVE-2025-12866 is a critical vulnerability in EIP Plus, a product developed by Hundred Plus, stemming from a weak password recovery mechanism classified under CWE-640. The flaw enables an unauthenticated remote attacker to predict or brute-force the 'forgot password' link, allowing unauthorized password resets for any user account. Assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it was published on 2025-11-10.

An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no privileges required. By predicting or brute-forcing the forgot password link, the attacker gains the ability to reset passwords for arbitrary users, potentially leading to full account takeover, high confidentiality/ integrity/availability impacts, and unauthorized access to sensitive data or systems managed via EIP Plus.

Advisories from TWCERT/CC (https://www.twcert.org.tw/en/cp-139-10491-004b0-2.html, https://www.twcert.org.tw/tw/cp-132-10490-2534b-1.html) and CHT Security (https://www.chtsecurity.com/news/20848f61-9db5-44fd-8574-c9d6a54e4010) provide details on the vulnerability; security practitioners should review these for recommended patches, workarounds, or mitigation strategies specific to EIP Plus deployments.