Cyber Posture

CVE-2025-22983

HighPublic PoC

Published: 14 January 2025

Published
14 January 2025
Modified
21 April 2025
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0039 59.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22983 is a high-severity Insecure Storage of Sensitive Information (CWE-922) vulnerability in Thecosy Icecms. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for logical access to system resources, directly preventing unauthenticated attackers from accessing sensitive information via the /square/getAllSquare/circle endpoint.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Identifies and limits specific actions permitted without identification or authentication, mitigating omissions that allow unauthorized access to sensitive endpoints like /square/getAllSquare/circle.

SC-14 Public Access Protections good match
prevent

Restricts public access to system resources from external networks, addressing network-accessible unauthenticated exposure of sensitive information in iceCMS.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The CVE describes an access control vulnerability in a public-facing web application (iceCMS) endpoint allowing unauthenticated access to sensitive information, directly enabling T1190: Exploit Public-Facing Application.

NVD Description

An access control issue in the component /square/getAllSquare/circle of iceCMS v2.2.0 allows unauthenticated attackers to access sensitive information.

Deeper analysisAI

CVE-2025-22983 is an access control vulnerability in iceCMS version 2.2.0, specifically within the /square/getAllSquare/circle component. Published on 2025-01-14, the issue stems from CWE-922 (Omission of Security-relevant Information) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility, low complexity, no privileges or user interaction required, and no impact on integrity or availability.

Unauthenticated attackers can exploit this vulnerability remotely over the network by accessing the affected endpoint, bypassing intended access controls to retrieve sensitive information from the system.

Details on mitigation and exploitation are documented in the referenced advisory at https://github.com/H3rmesk1t/vulnerability-paper/blob/main/iceCMS-2.2.0-Incorrect%20Access%20Control.md.

Details

CWE(s)
CWE-922

Affected Products

thecosy
icecms
2.2.0

CVEs Like This One

CVE-2025-22984Same product: Thecosy Icecms
CVE-2025-12539Shared CWE-922
CVE-2024-56113Shared CWE-922
CVE-2024-57546Shared CWE-922
CVE-2026-40868Shared CWE-922
CVE-2024-57436Shared CWE-922
CVE-2025-28244Shared CWE-922
CVE-2025-21299Shared CWE-922
CVE-2025-2241Shared CWE-922
CVE-2024-12315Shared CWE-922

References