Cyber Resilience

CVE-2025-24369

Low

Published: 27 January 2025

Published
27 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 2.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0018 38.9th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24369 is a low-severity Reliance on Untrusted Inputs in a Security Decision (CWE-807) vulnerability in Xeiaso (inferred from references). Its CVSS base score is 2.3 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Stealth (T1211); ranked at the 38.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other Platforms; in the LLM/Generative AI Risks risk domain; MITRE ATLAS techniques in scope: AML.T0040.000, Invert AI Model (AML.T0024.001), Direct (AML.T0051.000).

EU & UK References

Vulnerability details

Anubis is a tool that allows administrators to protect bots against AI scrapers through bot-checking heuristics and a proof-of-work challenge to discourage scraping from multiple IP addresses. Anubis allows attackers to bypass the bot protection by requesting a challenge, formulates…

more

any nonce (such as 42069), and then passes the challenge with difficulty zero. Commit e09d0226a628f04b1d80fd83bee777894a45cd02 fixes this behavior by not using a client-specified difficulty value.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1211 Exploitation for Stealth Stealth
Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
Why these techniques?

The vulnerability in Anubis allows attackers to bypass bot protection heuristics and proof-of-work challenges by specifying zero difficulty, enabling exploitation for defense evasion.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0040.000AML.T0024.001: Invert AI ModelAML.T0051.000: DirectAML.T0018.000: Poison AI ModelAML.T0048.000: Financial HarmAML.T0016.000: Adversarial AI Attack Implementations

Affected Assets

Xeiaso
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-807

Prevents reliance on untrusted matching results for security-relevant decisions by enforcing verification and contest procedures.

addresses: CWE-807

Providing authoritative attributes with the data reduces the need for security decisions to rely on untrusted external inputs.

addresses: CWE-807

Reduces reliance on untrusted inputs by ensuring only authorized sources may supply data.

References