CVE-2025-22390
Published: 04 January 2025
Summary
CVE-2025-22390 is a high-severity Weak Password Requirements (CWE-521) vulnerability in Optimizely Optimizely Cms. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Password Cracking (T1110.002); ranked in the top 44.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-22390 affects Optimizely EPiServer.CMS.Core versions prior to 12.32.0, where insufficient enforcement of password complexity requirements allows users to set passwords with a minimum length of only 6 characters. This weakness fails to provide adequate resistance against modern attack techniques, such as password spraying or offline password cracking. The vulnerability is mapped to CWE-521 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. By leveraging the weak password policy, attackers can perform password spraying campaigns or crack stolen password hashes offline, potentially gaining unauthorized access to CMS user accounts and exposing sensitive data.
Optimizely has issued security advisory CMS-2025-02, available at https://support.optimizely.com/hc/en-us/articles/33182255281293-Content-Management-System-CMS-Security-Advisory-CMS-2025-02, which details mitigation steps. Practitioners should upgrade to EPiServer.CMS.Core 12.32.0 or later to address the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2771
Vulnerability details
An issue was discovered in Optimizely EPiServer.CMS.Core before 12.32.0. A medium-severity vulnerability exists in the CMS due to insufficient enforcement of password complexity requirements. The application permits users to set passwords with a minimum length of 6 characters, lacking adequate…
more
complexity to resist modern attack techniques such as password spraying or offline password cracking.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Weak password policy (min 6 chars) directly enables password spraying (T1110.003) and offline password cracking (T1110.002) against CMS accounts.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
IA-5 mandates management of authenticators with sufficient strength of mechanism, directly enforcing password complexity requirements to resist spraying and cracking attacks exploited by this CVE.
SI-2 requires timely remediation of flaws, such as patching to EPiServer.CMS.Core 12.32.0 or later to fix the weak password enforcement vulnerability.
AC-7 enforces limits on unsuccessful logon attempts, mitigating password spraying attacks enabled by the CVE's allowance of weak 6-character passwords.