CVE-2025-2395
Published: 17 March 2025
Summary
CVE-2025-2395 is a critical-severity Reliance on Cookies without Validation and Integrity Checking (CWE-565) vulnerability in Edetw U-Office Force. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
The U-Office Force application from e-Excellence contains an Improper Authentication vulnerability, identified as CVE-2025-2395 with a CVSS v3.1 score of 9.8. The flaw stems from insufficient validation that permits unauthenticated remote attackers to invoke a particular API and modify cookies in order to assume administrator privileges.
Unauthenticated attackers on the network can leverage the weakness to bypass login controls entirely, resulting in full compromise of confidentiality, integrity, and availability on affected installations.
Taiwan's CERT has published advisories detailing the issue and recommended actions at the referenced URLs. The associated EPSS score remains low, with a current value of 0.0123 and a recorded peak of 0.0237.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6456
Vulnerability details
The U-Office Force from e-Excellence has an Improper Authentication vulnerability, allowing unauthenticated remote attackers to use a particular API and alter cookies to log in as an administrator.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables unauthenticated remote exploitation of public-facing app API to manipulate cookies for admin impersonation, directly mapping to T1190 and facilitating T1550.004.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Explicitly identifies and limits actions allowable without authentication, precluding the vulnerable API endpoint from permitting unauthenticated cookie alteration for admin login.
Enforces approved access authorizations, blocking unauthenticated remote attackers from accessing the API to manipulate cookies and gain administrator privileges.
Requires robust identification and authentication for organizational users, preventing improper authentication bypass via API-driven cookie alteration to impersonate administrators.