Cyber Posture

CVE-2025-2402

High

Published: 31 March 2025

Published
31 March 2025
Modified
08 October 2025
KEV Added
Patch
CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
EPSS Score 0.0187 83.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2402 is a high-severity Use of Hard-coded Password (CWE-259) vulnerability in Knime Business Hub. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 16.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Default Accounts (T1078.001) and 3 other techniques. AI-specific risk: MITRE ATLAS AI Supply Chain Compromise (AML.T0010) plus 2 more. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and correction of system flaws like the hard-coded password, enabling patching to fixed KNIME Business Hub versions.

IA-5 Authenticator Management good match
prevent

Mandates secure management of authenticators including prohibiting hard-coded passwords and changing defaults, directly preventing their embedding in components like MinIO.

CM-6 Configuration Settings partial match
prevent

Enforces secure configuration settings that avoid hard-coded credentials and restrictive modes to mitigate unauthorized access to the object store.

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
attack.mitre.org →
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
attack.mitre.org →
Why these techniques?

Hard-coded password in exposed MinIO object store enables default account abuse (T1078.001) and exploitation of public-facing app (T1190) for unauthenticated remote read/manipulate of stored data (T1565.001) and DoS via resource exhaustion (T1499.003).

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0010: AI Supply Chain CompromiseAML.T0024: Exfiltration via AI Inference APIAML.T0048: External Harms

NVD Description

A hard-coded, non-random password for the object store (minio) of KNIME Business Hub in all versions except the ones listed below allows an unauthenticated remote attacker in possession of the password to read and manipulate swapped jobs or read and…

more

manipulate in- and output data of active jobs. It is also possible to cause a denial-of-service of most functionality of KNIME Business Hub by writing large amounts of data to the object store directly. There are no viable workarounds therefore we strongly recommend to update to one of the following versions of KNIME Business Hub: * 1.13.2 or later * 1.12.3 or later * 1.11.3 or later * 1.10.3 or later

Deeper analysisAI

CVE-2025-2402 is a vulnerability involving a hard-coded, non-random password in the MinIO object store component of KNIME Business Hub, affecting all versions except 1.13.2 or later, 1.12.3 or later, 1.11.3 or later, and 1.10.3 or later. Classified under CWE-259 (Use of Hard-coded Password), it has a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H), indicating high severity due to its network accessibility and lack of prerequisites.

An unauthenticated remote attacker who obtains the hard-coded password can exploit this to read and manipulate swapped jobs, as well as in- and output data of active jobs in KNIME Business Hub. Additionally, the attacker can cause a denial-of-service condition impacting most functionality by writing large amounts of data directly to the object store.

KNIME advisories state there are no viable workarounds and strongly recommend updating to one of the patched versions listed above. Further details are available in the official KNIME security advisory at https://www.knime.com/security/advisories#CVE-2025-2402 and the GitHub advisory at https://github.com/advisories/GHSA-v5p7-3387-gpmg.

Details

CWE(s)
CWE-259

Affected Products

knime
business hub
≤ 1.10.3 · 1.11.0 — 1.11.3 · 1.12.0 — 1.12.3

CVEs Like This One

CVE-2025-3019Same product: Knime Business Hub
CVE-2025-2787Same product: Knime Business Hub
CVE-2025-59388Shared CWE-259
CVE-2025-1100Shared CWE-259
CVE-2026-25753Shared CWE-259
CVE-2025-46067Shared CWE-259
CVE-2025-70798Shared CWE-259
CVE-2025-30106Shared CWE-259
CVE-2025-70041Shared CWE-259
CVE-2025-30115Shared CWE-259

References