Cyber Resilience

CVE-2025-22390

High

Published: 04 January 2025

Published
04 January 2025
Modified
20 May 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0033 56.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22390 is a high-severity Weak Password Requirements (CWE-521) vulnerability in Optimizely Optimizely Cms. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Cracking (T1110.002); ranked in the top 44.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-22390 affects Optimizely EPiServer.CMS.Core versions prior to 12.32.0, where insufficient enforcement of password complexity requirements allows users to set passwords with a minimum length of only 6 characters. This weakness fails to provide adequate resistance against modern attack techniques, such as password spraying or offline password cracking. The vulnerability is mapped to CWE-521 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. By leveraging the weak password policy, attackers can perform password spraying campaigns or crack stolen password hashes offline, potentially gaining unauthorized access to CMS user accounts and exposing sensitive data.

Optimizely has issued security advisory CMS-2025-02, available at https://support.optimizely.com/hc/en-us/articles/33182255281293-Content-Management-System-CMS-Security-Advisory-CMS-2025-02, which details mitigation steps. Practitioners should upgrade to EPiServer.CMS.Core 12.32.0 or later to address the issue.

EU & UK References

Vulnerability details

An issue was discovered in Optimizely EPiServer.CMS.Core before 12.32.0. A medium-severity vulnerability exists in the CMS due to insufficient enforcement of password complexity requirements. The application permits users to set passwords with a minimum length of 6 characters, lacking adequate…

more

complexity to resist modern attack techniques such as password spraying or offline password cracking.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110.002 Password Cracking Credential Access
Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained.
T1110.003 Password Spraying Credential Access
Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials.
Why these techniques?

Weak password policy (min 6 chars) directly enables password spraying (T1110.003) and offline password cracking (T1110.002) against CMS accounts.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-22389Same product: Optimizely Optimizely Cms
CVE-2025-22386Same vendor: Optimizely
CVE-2025-22384Same vendor: Optimizely
CVE-2025-22387Same vendor: Optimizely
CVE-2026-25715Shared CWE-521
CVE-2025-55269Shared CWE-521
CVE-2026-33771Shared CWE-521
CVE-2025-53963Shared CWE-521
CVE-2025-27663Shared CWE-521
CVE-2025-25211Shared CWE-521

Affected Assets

optimizely
optimizely cms
≤ 12.32.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 mandates management of authenticators with sufficient strength of mechanism, directly enforcing password complexity requirements to resist spraying and cracking attacks exploited by this CVE.

prevent

SI-2 requires timely remediation of flaws, such as patching to EPiServer.CMS.Core 12.32.0 or later to fix the weak password enforcement vulnerability.

prevent

AC-7 enforces limits on unsuccessful logon attempts, mitigating password spraying attacks enabled by the CVE's allowance of weak 6-character passwords.

References