Cyber Resilience

CVE-2025-12870

Critical

Published: 12 November 2025

Published
12 November 2025
Modified
18 November 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0017 37.6th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-12870 is a critical-severity Weak Authentication (CWE-1390) vulnerability in Aenrich A\+Hrd. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-12870 is an Authentication Abuse vulnerability (CWE-1390) affecting the a+HRD software developed by aEnrich. Published on 2025-11-12, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of prerequisites. The flaw enables unauthenticated remote attackers to send crafted packets that bypass authentication mechanisms.

Unauthenticated attackers can exploit this vulnerability remotely over the network with minimal effort. By crafting and transmitting specific packets, they can obtain valid administrator access tokens, granting elevated privileges to access and control the affected system. This results in high-impact compromise across confidentiality, integrity, and availability.

Mitigation guidance is available in advisories from TWCERT/CC (https://www.twcert.org.tw/en/cp-139-10487-12a32-2.html, https://www.twcert.org.tw/tw/cp-132-10486-a3459-1.html) and CHT Security (https://www.chtsecurity.com/news/b97e8337-6b0c-43e8-8e8c-187b7c0e13c2). Security practitioners should consult these resources for recommended patches, workarounds, or configuration changes to address the issue.

EU & UK References

Vulnerability details

The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to send crafted packets to obtain administrator access tokens and use them to access the system with elevated privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows unauthenticated remote attackers to bypass authentication via crafted packets on a network-accessible application, directly enabling exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-12871Same product: Aenrich A\+Hrd
CVE-2025-0585Same product: Aenrich A\+Hrd
CVE-2025-0586Same product: Aenrich A\+Hrd
CVE-2025-40554Shared CWE-1390
CVE-2023-53894Shared CWE-1390
CVE-2026-4828Shared CWE-1390
CVE-2025-40552Shared CWE-1390
CVE-2026-28710Shared CWE-1390
CVE-2026-6886Shared CWE-1390
CVE-2025-1387Shared CWE-1390

Affected Assets

aenrich
a\+hrd
≤ 7.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 limits and authorizes specific actions performable without identification or authentication, directly preventing unauthenticated attackers from obtaining administrator access tokens via crafted packets.

prevent

AC-3 enforces approved authorizations for access to system resources, countering the authentication bypass that grants elevated privileges.

prevent

SI-10 validates information inputs to the system, blocking crafted packets that exploit the authentication abuse vulnerability.

References