Cyber Resilience

CVE-2025-14038

High

Published: 15 December 2025

Published
15 December 2025
Modified
18 February 2026
KEV Added
Patch
CVSS Score v3.1 7.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
EPSS Score 0.0013 32.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14038 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Enterprisedb Hybrid Manager. Its CVSS base score is 7.0 (High).

Operationally, ranked at the 32.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

EDB Hybrid Manager contains a flaw that allows an unauthenticated attacker to directly access certain gRPC endpoints. This could allow an attacker to read potentially sensitive data or possibly cause a denial-of-service by writing malformed data to certain gRPC endpoints.…

more

This flaw has been remediated in EDB Hybrid Manager 1.3.3, and customers should consider upgrading to 1.3.3 as soon as possible. The flaw is due to a misconfiguration in the Istio Gateway, which manages authentication and authorization for the affected endpoints. The security policy relies on an explicit definition of required permissions in the Istio Gateway configuration, and the affected endpoints were not defined in the configuration. This allowed requests to bypass both authentication and authorization within a Hybrid Manager service. All versions of Hybrid Manager - LTS should be upgraded to 1.3.3, and all versions of Hybrid Manager - Innovation should be upgraded to 2025.12.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

enterprisedb
hybrid manager
≤ 1.3.3 · ≤ 2025.12.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-306 CWE-862

Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.

addresses: CWE-306 CWE-862

Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.

addresses: CWE-862 CWE-306

Always invoking the reference monitor prevents missing authorization checks for protected resources.

addresses: CWE-306 CWE-862

Auditing sessions makes it possible to detect access to critical functions without required authentication.

addresses: CWE-306 CWE-862

The assessment process confirms authentication is present and effective for critical functions, preventing exploitation from missing authentication.

addresses: CWE-306 CWE-862

Certification assesses that critical functions have required authentication controls in place.

addresses: CWE-862 CWE-306

Requiring authorization servers ensures authorization is performed for protected functions.

addresses: CWE-306 CWE-862

Tailoring determines which functions require authentication and selects the appropriate baseline or compensating authentication controls.

References