CVE-2025-2230
Published: 13 March 2025
Summary
CVE-2025-2230 is a high-severity Improper Authentication (CWE-287) vulnerability in Cisa (inferred from references). Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-23 (Session Authenticity).
Deeper analysis
CVE-2025-2230 is a vulnerability in the Windows login flow that allows an AuthContext token to be exploited for replay attacks and authentication bypass. Published on 2025-03-13, it has a CVSS v3.1 base score of 7.7 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-287 (Improper Authentication).
A local attacker with low-complexity access and no privileges or user interaction required can exploit this flaw. Successful exploitation enables high-impact confidentiality and integrity violations, such as bypassing authentication via token replay to gain unauthorized access during the login process.
Mitigation details are available in advisories from CISA (ICSMA-25-072-01) and Philips security bulletins.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6388
Vulnerability details
A flaw exists in the Windows login flow where an AuthContext token can be exploited for replay attacks and authentication bypass.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables replay attacks on AuthContext tokens for authentication bypass in the Windows login flow, directly facilitating T1550.001 (use of application access tokens to bypass authentication) and T1068 (exploitation of the local vuln for privilege escalation, given no privileges required and high C/I impact).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 requires mechanisms such as unique session identifiers or timestamps to protect against replay attacks on authentication tokens like the AuthContext in Windows login.
IA-5 enforces management of authenticators with strength of mechanism, refresh intervals, and protection against unauthorized disclosure or modification to prevent token replay exploitation.
SI-2 mandates identification, testing, and timely installation of patches to remediate the specific authentication flaw in the Windows login flow.