Cyber Resilience

CVE-2025-1341

MediumPublic PoC

Published: 16 February 2025

Published
16 February 2025
Modified
16 October 2025
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0007 22.2th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1341 is a medium-severity Weak Password Requirements (CWE-521) vulnerability in Pmweb Pmweb. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 22.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-1341 is a vulnerability classified as problematic in PMWeb version 7.2.0, specifically affecting an unknown part of the Setting Handler component. It enables weak password requirements through manipulation, mapped to CWE-521. The issue carries a CVSS v3.1 base score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating low severity with network accessibility but high attack complexity and only low confidentiality impact.

Remote attackers require no privileges to initiate the exploit, though the high complexity makes it difficult to execute successfully. Successful exploitation allows manipulation leading to weak password requirements, potentially enabling low-level confidentiality breaches, such as access to sensitive configuration data via poorly enforced passwords.

Advisories recommend changing configuration settings as the primary mitigation, with no patches available from the vendor, who was contacted early but provided no response. The exploit has been publicly disclosed via references including VulDB entries and a Mega.nz file, and it may be usable by attackers.

EU & UK References

Vulnerability details

A vulnerability, which was classified as problematic, was found in PMWeb 7.2.0. This affects an unknown part of the component Setting Handler. The manipulation leads to weak password requirements. It is possible to initiate the attack remotely. The complexity of…

more

an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
Why these techniques?

Weak password policy enforcement (CWE-521) directly facilitates brute-force or password-guessing attacks against accounts.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-25211Shared CWE-521
CVE-2025-25749Shared CWE-521
CVE-2025-55269Shared CWE-521
CVE-2026-33771Shared CWE-521
CVE-2025-27663Shared CWE-521
CVE-2025-22390Shared CWE-521
CVE-2026-25715Shared CWE-521
CVE-2025-55252Shared CWE-521
CVE-2023-37398Shared CWE-521
CVE-2025-63747Shared CWE-521

Affected Assets

pmweb
pmweb
7.2.00

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

CM-6 requires establishing and enforcing secure configuration settings for the Setting Handler to prevent manipulation enabling weak password requirements, directly aligning with the advisory's recommended mitigation.

prevent

IA-5 mandates management of authenticators including strong password complexity and quality requirements, comprehensively countering the weak password requirements exploited via this vulnerability.

prevent

CM-3 establishes controls over configuration changes to the Setting Handler, reducing the risk of remote manipulation that leads to weak password policies.

References