Cyber Resilience

CVE-2025-1941

Critical

Published: 04 March 2025

Published
04 March 2025
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0007 20.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1941 is a critical-severity Improper Access Control (CWE-284) vulnerability in Mozilla Firefox. Its CVSS base score is 9.1 (Critical).

Operationally, ranked at the 20.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-11 (Re-authentication).

Deeper analysis

CVE-2025-1941 is an improper access control vulnerability (CWE-284) in Mozilla Firefox, where under certain circumstances a user opt-in setting requiring authentication before using the Focus feature could be bypassed. This issue is distinct from CVE-2025-0245 and affects the Focus component in Firefox versions prior to 136. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to its potential for high confidentiality and integrity impacts.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows bypassing the authentication requirement for Focus, enabling unauthorized access that compromises sensitive data (high confidentiality impact) and potentially modifies protected resources (high integrity impact) without disrupting availability.

Mozilla's security advisory (MFSA 2025-14) and Bugzilla entry (1944665) document the flaw and confirm it was addressed in Firefox 136. Security practitioners should advise users to update to Firefox 136 or later to mitigate the risk.

EU & UK References

Vulnerability details

Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed (distinct from CVE-2025-0245). This vulnerability was fixed in Firefox 136.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4701Same product: Mozilla Firefox
CVE-2026-4723Same product: Mozilla Firefox
CVE-2026-4716Same product: Mozilla Firefox
CVE-2026-2794Same product: Mozilla Firefox
CVE-2026-4687Same product: Mozilla Firefox
CVE-2026-4704Same product: Mozilla Firefox
CVE-2026-4705Same product: Mozilla Firefox
CVE-2026-4697Same product: Mozilla Firefox
CVE-2026-4691Same product: Mozilla Firefox
CVE-2026-4714Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 136.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations to prevent bypass of authentication requirements for the Focus feature in Firefox.

prevent

Requires re-authentication prior to using privileged functions like Focus, mitigating the authentication bypass vulnerability.

prevent

Ensures timely flaw remediation through patching Firefox to version 136 or later, eliminating the improper access control vulnerability.

References