CVE-2025-1941

Critical

Published: 04 March 2025

Published

04 March 2025

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0007 20.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1941 is a critical-severity Improper Access Control (CWE-284) vulnerability in Mozilla Firefox. Its CVSS base score is 9.1 (Critical).

Operationally, ranked at the 20.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-11 (Re-authentication).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Directly enforces approved authorizations to prevent bypass of authentication requirements for the Focus feature in Firefox.

IA-11 Re-authentication good match

prevent

Requires re-authentication prior to using privileged functions like Focus, mitigating the authentication bypass vulnerability.

SI-2 Flaw Remediation good match

prevent

Ensures timely flaw remediation through patching Firefox to version 136 or later, eliminating the improper access control vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.

Confidence: LOW · MITRE ATT&CK Enterprise v19.0

NVD Description

Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed (distinct from CVE-2025-0245). This vulnerability was fixed in Firefox 136.

Deeper analysisAI

CVE-2025-1941 is an improper access control vulnerability (CWE-284) in Mozilla Firefox, where under certain circumstances a user opt-in setting requiring authentication before using the Focus feature could be bypassed. This issue is distinct from CVE-2025-0245 and affects the Focus component in Firefox versions prior to 136. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to its potential for high confidentiality and integrity impacts.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows bypassing the authentication requirement for Focus, enabling unauthorized access that compromises sensitive data (high confidentiality impact) and potentially modifies protected resources (high integrity impact) without disrupting availability.

Mozilla's security advisory (MFSA 2025-14) and Bugzilla entry (1944665) document the flaw and confirm it was addressed in Firefox 136. Security practitioners should advise users to update to Firefox 136 or later to mitigate the risk.

Details

CWE(s): CWE-284

Affected Products

mozilla

firefox

≤ 136.0

CVEs Like This One

CVE-2026-4691Same product: Mozilla Firefox

CVE-2026-4723Same product: Mozilla Firefox

CVE-2025-1940Same product: Mozilla Firefox

CVE-2026-4715Same product: Mozilla Firefox

CVE-2026-4705Same product: Mozilla Firefox

CVE-2026-4688Same product: Mozilla Firefox

CVE-2026-4698Same product: Mozilla Firefox

CVE-2026-4704Same product: Mozilla Firefox

CVE-2026-4699Same product: Mozilla Firefox

CVE-2026-2794Same product: Mozilla Firefox

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1944665
Issue Tracking · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2025-14/
Vendor Advisory · security@mozilla.org