Cyber Resilience

CVE-2025-2230

High

Published: 13 March 2025

Published
13 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 0.7th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2230 is a high-severity Improper Authentication (CWE-287) vulnerability in Cisa (inferred from references). Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2025-2230 is a vulnerability in the Windows login flow that allows an AuthContext token to be exploited for replay attacks and authentication bypass. Published on 2025-03-13, it has a CVSS v3.1 base score of 7.7 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-287 (Improper Authentication).

A local attacker with low-complexity access and no privileges or user interaction required can exploit this flaw. Successful exploitation enables high-impact confidentiality and integrity violations, such as bypassing authentication via token replay to gain unauthorized access during the login process.

Mitigation details are available in advisories from CISA (ICSMA-25-072-01) and Philips security bulletins.

EU & UK References

Vulnerability details

A flaw exists in the Windows login flow where an AuthContext token can be exploited for replay attacks and authentication bypass.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1550.001 Application Access Token Lateral Movement
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.
Why these techniques?

The vulnerability enables replay attacks on AuthContext tokens for authentication bypass in the Windows login flow, directly facilitating T1550.001 (use of application access tokens to bypass authentication) and T1068 (exploitation of the local vuln for privilege escalation, given no privileges required and high C/I impact).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-55241Shared CWE-287
CVE-2026-6456Shared CWE-287
CVE-2026-34990Shared CWE-287
CVE-2026-24294Shared CWE-287
CVE-2026-27939Shared CWE-287
CVE-2025-54918Shared CWE-287
CVE-2025-0070Shared CWE-287
CVE-2026-26119Shared CWE-287
CVE-2025-64423Shared CWE-287
CVE-2026-42822Shared CWE-287

Affected Assets

Cisa
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 requires mechanisms such as unique session identifiers or timestamps to protect against replay attacks on authentication tokens like the AuthContext in Windows login.

prevent

IA-5 enforces management of authenticators with strength of mechanism, refresh intervals, and protection against unauthorized disclosure or modification to prevent token replay exploitation.

prevent

SI-2 mandates identification, testing, and timely installation of patches to remediate the specific authentication flaw in the Windows login flow.

References