CVE-2025-24865

Critical

Published: 13 February 2025

Published

13 February 2025

Modified

04 March 2025

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.6723 98.6th percentile

Risk Priority 60 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24865 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Myscada Mypro. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Directly requires limiting critical administrative functions without identification or authentication, preventing unauthorized access to the mySCADA myPRO Manager web interface.

IA-2 Identification and Authentication (Organizational Users) good match

prevent

Mandates identification and authentication for organizational users before system access, mitigating the complete lack of credentials required for the vulnerable admin interface.

AC-3 Access Enforcement good match

prevent

Enforces approved access control policies to block unauthorized retrieval of sensitive information and file uploads via the authentication-bypassed interface.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1105 Ingress Tool Transfer Command And Control

Adversaries may transfer tools or other files from an external system into a compromised environment.

attack.mitre.org →

Why these techniques?

Authentication bypass on public-facing admin web interface directly enables T1190 exploitation; facilitates T1005 via unauthorized sensitive data retrieval and T1105 via arbitrary file uploads without credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The administrative web interface of mySCADA myPRO Manager can be accessed without authentication which could allow an unauthorized attacker to retrieve sensitive information and upload files without the associated password.

Deeper analysisAI

CVE-2025-24865 is a critical authentication bypass vulnerability in the administrative web interface of mySCADA myPRO Manager. Published on 2025-02-13, it stems from CWE-306 (Missing Authentication for Critical Function), allowing the interface to be accessed without any credentials. This enables unauthorized retrieval of sensitive information and file uploads without the associated password, earning a perfect CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

The vulnerability can be exploited by any unauthenticated attacker with network access to the affected interface. No user privileges, interaction, or complex conditions are required, making it highly accessible remotely with low attack complexity. Successful exploitation grants attackers the ability to extract sensitive data and upload arbitrary files, resulting in high impacts to confidentiality, integrity, and availability, compounded by a change in scope.

Mitigation guidance is detailed in CISA ICS Advisory ICSA-25-044-16 at https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-16. Vendor resources include the mySCADA contacts page at https://www.myscada.org/contacts/ and downloads page at https://www.myscada.org/downloads/mySCADAPROManager/, which may provide patches or additional remediation steps.