CVE-2025-24865
Published: 13 February 2025
Summary
CVE-2025-24865 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Myscada Mypro. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
The vulnerability CVE-2025-24865 is a missing authentication flaw (CWE-306) affecting the administrative web interface of mySCADA myPRO Manager. An unauthenticated remote attacker can reach the interface directly, bypassing any password requirement and gaining the ability to retrieve sensitive information or upload arbitrary files.
Because the flaw requires no credentials, network access, or user interaction, any internet-facing or poorly segmented deployment can be exploited by an unauthorized attacker to read configuration data, credentials, or other sensitive content and to place malicious files on the system. The associated CVSS 4.0 score of 10.0 reflects the maximum impact across confidentiality, integrity, and availability in both the vulnerable component and its environment.
CISA’s ICS advisory ICSA-25-044-16 and the vendor’s download and contact pages provide the authoritative guidance on mitigation steps and available updates; organizations should consult these sources for patch information and recommended hardening measures. The EPSS score currently stands at 0.6723 with no material change from its peak, indicating sustained exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3963
Vulnerability details
The administrative web interface of mySCADA myPRO Manager can be accessed without authentication which could allow an unauthorized attacker to retrieve sensitive information and upload files without the associated password.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass on public-facing admin web interface directly enables T1190 exploitation; facilitates T1005 via unauthorized sensitive data retrieval and T1105 via arbitrary file uploads without credentials.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires limiting critical administrative functions without identification or authentication, preventing unauthorized access to the mySCADA myPRO Manager web interface.
Mandates identification and authentication for organizational users before system access, mitigating the complete lack of credentials required for the vulnerable admin interface.
Enforces approved access control policies to block unauthorized retrieval of sensitive information and file uploads via the authentication-bypassed interface.