CVE-2025-1341

LowPublic PoC

Published: 16 February 2025

Published

16 February 2025

Modified

16 October 2025

KEV Added

—

Patch

—

CVSS Score 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0006 19.3th percentile

Risk Priority 7 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1341 is a low-severity Weak Password Requirements (CWE-521) vulnerability in Pmweb Pmweb. Its CVSS base score is 3.7 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 19.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Brute Force (T1110). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

CM-6 Configuration Settings good match

prevent

CM-6 requires establishing and enforcing secure configuration settings for the Setting Handler to prevent manipulation enabling weak password requirements, directly aligning with the advisory's recommended mitigation.

IA-5 Authenticator Management good match

prevent

IA-5 mandates management of authenticators including strong password complexity and quality requirements, comprehensively countering the weak password requirements exploited via this vulnerability.

CM-3 Configuration Change Control partial match

prevent

CM-3 establishes controls over configuration changes to the Setting Handler, reducing the risk of remote manipulation that leads to weak password policies.

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.

attack.mitre.org →

Why these techniques?

Weak password policy enforcement (CWE-521) directly facilitates brute-force or password-guessing attacks against accounts.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability, which was classified as problematic, was found in PMWeb 7.2.0. This affects an unknown part of the component Setting Handler. The manipulation leads to weak password requirements. It is possible to initiate the attack remotely. The complexity of…

an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. The vendor was contacted early about this disclosure but did not respond in any way.

Deeper analysisAI

CVE-2025-1341 is a vulnerability classified as problematic in PMWeb version 7.2.0, specifically affecting an unknown part of the Setting Handler component. It enables weak password requirements through manipulation, mapped to CWE-521. The issue carries a CVSS v3.1 base score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating low severity with network accessibility but high attack complexity and only low confidentiality impact.

Remote attackers require no privileges to initiate the exploit, though the high complexity makes it difficult to execute successfully. Successful exploitation allows manipulation leading to weak password requirements, potentially enabling low-level confidentiality breaches, such as access to sensitive configuration data via poorly enforced passwords.

Advisories recommend changing configuration settings as the primary mitigation, with no patches available from the vendor, who was contacted early but provided no response. The exploit has been publicly disclosed via references including VulDB entries and a Mega.nz file, and it may be usable by attackers.