CVE-2025-22390

High

Published: 04 January 2025

Published

04 January 2025

Modified

20 May 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0024 47.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22390 is a high-severity Weak Password Requirements (CWE-521) vulnerability in Optimizely Optimizely Cms. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Cracking (T1110.002); ranked at the 47.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Password Cracking (T1110.002) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

IA-5 mandates management of authenticators with sufficient strength of mechanism, directly enforcing password complexity requirements to resist spraying and cracking attacks exploited by this CVE.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely remediation of flaws, such as patching to EPiServer.CMS.Core 12.32.0 or later to fix the weak password enforcement vulnerability.

AC-7 Unsuccessful Logon Attempts partial match

prevent

AC-7 enforces limits on unsuccessful logon attempts, mitigating password spraying attacks enabled by the CVE's allowance of weak 6-character passwords.

MITRE ATT&CK Enterprise TechniquesAI

T1110.002 Password Cracking Credential Access

Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained.

attack.mitre.org →

T1110.003 Password Spraying Credential Access

Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials.

attack.mitre.org →

Why these techniques?

Weak password policy (min 6 chars) directly enables password spraying (T1110.003) and offline password cracking (T1110.002) against CMS accounts.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue was discovered in Optimizely EPiServer.CMS.Core before 12.32.0. A medium-severity vulnerability exists in the CMS due to insufficient enforcement of password complexity requirements. The application permits users to set passwords with a minimum length of 6 characters, lacking adequate…

complexity to resist modern attack techniques such as password spraying or offline password cracking.

Deeper analysisAI

CVE-2025-22390 affects Optimizely EPiServer.CMS.Core versions prior to 12.32.0, where insufficient enforcement of password complexity requirements allows users to set passwords with a minimum length of only 6 characters. This weakness fails to provide adequate resistance against modern attack techniques, such as password spraying or offline password cracking. The vulnerability is mapped to CWE-521 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. By leveraging the weak password policy, attackers can perform password spraying campaigns or crack stolen password hashes offline, potentially gaining unauthorized access to CMS user accounts and exposing sensitive data.

Optimizely has issued security advisory CMS-2025-02, available at https://support.optimizely.com/hc/en-us/articles/33182255281293-Content-Management-System-CMS-Security-Advisory-CMS-2025-02, which details mitigation steps. Practitioners should upgrade to EPiServer.CMS.Core 12.32.0 or later to address the issue.