CVE-2025-1847
Published: 03 March 2025
Summary
CVE-2025-1847 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Zframeworks Zz. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 41.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations for logical access to system resources in real time, directly mitigating the improper authorization bypass in the vulnerable processing.
AC-6 enforces least privilege restrictions, limiting the scope and impact of unauthorized actions by low-privileged attackers exploiting the authorization flaw.
SI-2 requires identification, reporting, and timely remediation of critical flaws like this improper authorization vulnerability, including patching or compensatory controls despite vendor unresponsiveness.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The improper authorization vulnerability (CWE-285) enables vertical privilege escalation (T1068) from ordinary users to administrator privileges and facilitates account manipulation (T1098) by allowing modification, deletion, or addition of administrator information remotely.
NVD Description
A vulnerability was found in zj1983 zz up to 2024-8. It has been rated as critical. This issue affects some unknown processing. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to…
more
the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-1847 is a critical improper authorization vulnerability (CWE-266, CWE-285) discovered in zj1983 zz up to version 2024-8. The issue affects some unknown processing within the software, enabling manipulation that bypasses authorization controls. Published on 2025-03-03, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability allows remote exploitation by an attacker possessing low privileges, such as an authenticated user, with low attack complexity and no requirement for user interaction. Successful exploitation can result in low impacts to confidentiality, integrity, and availability, potentially allowing limited unauthorized actions within the affected processing.
Advisories note that the exploit has been publicly disclosed and may be actively used. The vendor was contacted early regarding the issue but provided no response, and no patches or specific mitigations are detailed in available references, which include VulDB entries and GitHub documentation.
Notable context includes the public availability of the exploit, increasing the risk of real-world abuse, with no reported patches from the unresponsive vendor.
Details
- CWE(s)