Cyber Resilience

CVE-2025-21611

High

Published: 06 January 2025

Published
06 January 2025
Modified
19 August 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0041 61.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21611 is a high-severity Improper Authorization (CWE-285) vulnerability in Tgstation13 Tgstation-Server. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 38.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-21611 is an improper authorization vulnerability (CWE-285) in tgstation-server, a production-scale tool for managing BYOND servers. In versions prior to 6.12.3, the authorization logic for API methods incorrectly used an OR operation instead of an AND operation when combining roles for authorization with the role determining user enablement. This flaw enables users who are marked as enabled to bypass intended permission checks for most authorized actions, though not all endpoints are affected.

The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with network accessibility, low attack complexity, and low privileges required. An authenticated attacker with an enabled account but lacking specific permissions can exploit this over the network without user interaction to gain unauthorized access to sensitive API functions, potentially reading confidential data, modifying server configurations, or disrupting operations. However, the WriteUsers permission remains unaffected, preventing permanent privilege escalation on user accounts.

Mitigation is available via upgrade to tgstation-server version 6.12.3, which corrects the authorization logic as detailed in the project's GitHub security advisory (GHSA-rf5r-q276-vrc4), issue tracker (#2064), and the fixing commit (e7b1189620baaf03c2d23f6e164d07c7c7d87d57). Security practitioners managing BYOND server infrastructure should prioritize patching enabled user accounts to prevent unauthorized API access.

EU & UK References

Vulnerability details

tgstation-server is a production scale tool for BYOND server management. Prior to 6.12.3, roles used to authorize API methods were incorrectly OR'd instead of AND'ed with the role used to determine if a user was enabled. This allows enabled users…

more

access to most, but not all, authorized actions regardless of their permissions. Notably, the WriteUsers right is unaffected so users may not use this bug to permanently elevate their account permissions. The fix is release in tgstation-server-v6.12.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authorization bypass in public API allows low-priv enabled accounts to perform unauthorized high-impact actions via flawed role logic.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32716Shared CWE-285
CVE-2026-4248Shared CWE-285
CVE-2026-24305Shared CWE-285
CVE-2025-26683Shared CWE-285
CVE-2025-53792Shared CWE-285
CVE-2025-64655Shared CWE-285
CVE-2025-31255Shared CWE-285
CVE-2026-43912Shared CWE-285
CVE-2026-33105Shared CWE-285
CVE-2026-25809Shared CWE-285

Affected Assets

tgstation13
tgstation-server
6.11.0 — 6.12.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates enforcement of approved authorizations for API access, directly addressing the flawed logic that OR'd roles instead of AND'ing them with user enablement status.

prevent

Requires timely remediation of the specific authorization flaw via patching to tgstation-server version 6.12.3.

prevent

Enforces least privilege to limit the scope of unauthorized actions accessible to enabled users lacking proper roles.

References