CVE-2025-2388
Published: 17 March 2025
Summary
CVE-2025-2388 is a medium-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).
Deeper analysis
CVE-2025-2388 is a critical improper authentication vulnerability (CWE-287) in Keytop 路内停车收费系统 version 2.7.1. The issue affects an unknown functionality within the API component, specifically the file /saas/commonApi/park/getParks. Published on 2025-03-17, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote attackers can exploit this vulnerability without user interaction or privileges, requiring only low complexity over the network. Manipulation of the affected endpoint bypasses authentication, potentially enabling limited impacts on confidentiality, integrity, and availability.
Advisories and additional details, including the publicly disclosed exploit, are available at VulDB entries (https://vuldb.com/?ctiid.299887, https://vuldb.com/?id.299887, https://vuldb.com/?submit.516710) and the GitHub wiki (https://github.com/K-mxredo/MXdocument/wiki). The exploit has been disclosed to the public and may be used.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6535
Vulnerability details
A vulnerability was found in Keytop 路内停车收费系统 2.7.1. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /saas/commonApi/park/getParks of the component API. The manipulation leads to improper authentication. The attack can be…
more
launched remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an improper authentication vulnerability (CWE-287) in a publicly accessible API endpoint (/saas/commonApi/park/getParks) that allows remote attackers to bypass authentication with no privileges or user interaction. This directly enables initial access by exploiting a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to the API endpoint, directly preventing unauthorized manipulation that bypasses authentication.
Requires unique identification and authentication for non-organizational users or services accessing the remote SaaS API, mitigating the improper authentication vulnerability.
Validates inputs to the /saas/commonApi/park/getParks endpoint to block manipulative requests that exploit the authentication bypass.