Cyber Posture

CVE-2025-2229

High

Published: 13 March 2025

Published
13 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0003 10.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2229 is a high-severity Use of Weak Credentials (CWE-1391) vulnerability in Cisa (inferred from references). Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Access Token Manipulation (T1134); ranked at the 10.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-12 (Cryptographic Key Establishment and Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Access Token Manipulation (T1134) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

Directly requires management of tokens as authenticators with sufficient strength of mechanism and protection from unauthorized disclosure, addressing the weak fixed encryption key used in token generation.

SC-12 Cryptographic Key Establishment and Management good match
prevent

Mandates secure establishment, distribution, storage, access, and destruction of cryptographic keys, preventing the use of a fixed AES-128 key shared across all installations.

SC-13 Cryptographic Protection good match
prevent

Requires implementation of cryptographic mechanisms in accordance with applicable standards to protect token confidentiality and integrity, countering the predictable and forgeable token encryption.

MITRE ATT&CK Enterprise TechniquesAI

T1134 Access Token Manipulation Stealth
Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.
attack.mitre.org →
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
Why these techniques?

The fixed-key token generation flaw enables local attackers to manipulate tokens for user impersonation, directly facilitating access token manipulation (T1134) and abuse of valid accounts (T1078).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

NVD Description

A token is created using the username, current date/time, and a fixed AES-128 encryption key, which is the same across all installations.

Deeper analysisAI

CVE-2025-2229, published on 2025-03-13, involves a vulnerability in token creation where the token is generated using the username, current date/time, and a fixed AES-128 encryption key that remains the same across all installations. This flaw, classified under CWE-1391, carries a CVSS v3.1 base score of 7.7 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). It affects components referenced in CISA's ICS medical advisory ICSMA-25-072-01 and Philips security advisories.

Local attackers can exploit this vulnerability with low attack complexity and no privileges or user interaction required. Exploitation enables high-impact confidentiality and integrity violations, such as unauthorized access to sensitive information or token manipulation to impersonate users.

Mitigation details are provided in the referenced advisories, including https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-072-01 and https://www.philips.com/a-w/security/security-advisories.html.

Details

CWE(s)
CWE-1391

Affected Products

Cisa
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-22910Shared CWE-1391
CVE-2026-22920Shared CWE-1391
CVE-2026-23853Shared CWE-1391
CVE-2025-67114Shared CWE-1391
CVE-2026-39920Shared CWE-1391
CVE-2024-43659Shared CWE-1391
CVE-2026-22886Shared CWE-1391
CVE-2024-52331Shared CWE-1391

References