Cyber Resilience

CVE-2025-2376

Medium

Published: 17 March 2025

Published
17 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0020 41.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2376 is a medium-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-2376 is a critical deserialization vulnerability affecting viames Pair Framework versions up to 1.9.11. The issue resides in the getCookieContent function within the file /src/UserRemember.php of the PHP Object Handler component. By manipulating the cookieName argument, an attacker can trigger improper deserialization, as identified under CWE-20 (Improper Input Validation) and CWE-502 (Deserialization of Untrusted Data). The vulnerability was published on 2025-03-17 and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

The vulnerability enables remote exploitation without requiring user privileges or interaction. An unauthenticated attacker can send crafted requests to manipulate the cookieName parameter, leading to deserialization of untrusted data. Successful exploitation could result in low-level impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution or other malicious behaviors depending on the deserialized objects.

Advisories from VulDB, including entries at vuldb.com/?ctiid.299875, vuldb.com/?id.299875, and vuldb.com/?submit.515735, document the vulnerability details and submission. A public exploit proof-of-concept is available at gist.github.com/mcdruid/1997e10026833d2d1f3e359d75b5912a.

Security practitioners should note that the exploit has been publicly disclosed, increasing the risk of active exploitation against unpatched viames Pair Framework instances up to 1.9.11.

EU & UK References

Vulnerability details

A vulnerability has been found in viames Pair Framework up to 1.9.11 and classified as critical. Affected by this vulnerability is the function getCookieContent of the file /src/UserRemember.php of the component PHP Object Handler. The manipulation of the argument cookieName…

more

leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated deserialization vulnerability in public-facing PHP web framework directly enables exploitation of public-facing applications leading to arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-0465Shared CWE-20, CWE-502
CVE-2025-1113Shared CWE-20, CWE-502
CVE-2025-2689Shared CWE-20, CWE-502
CVE-2025-1177Shared CWE-20, CWE-502
CVE-2024-13136Shared CWE-20, CWE-502
CVE-2025-0734Shared CWE-20, CWE-502
CVE-2025-2855Shared CWE-20, CWE-502
CVE-2025-1186Shared CWE-20, CWE-502
CVE-2025-0841Shared CWE-20, CWE-502
CVE-2025-2690Shared CWE-20, CWE-502

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely identification, reporting, and correction of the specific deserialization flaw in the viames Pair Framework's getCookieContent function.

prevent

Enforces validation of the cookieName argument at input points to prevent manipulation leading to deserialization of untrusted data.

prevent

Implements memory protection safeguards to mitigate arbitrary code execution or other exploits resulting from successful deserialization.

References