Cyber Resilience

CVE-2025-24865

Critical

Published: 13 February 2025

Published
13 February 2025
Modified
04 March 2025
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.6723 98.6th percentile
Risk Priority 60 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24865 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Myscada Mypro. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

The vulnerability CVE-2025-24865 is a missing authentication flaw (CWE-306) affecting the administrative web interface of mySCADA myPRO Manager. An unauthenticated remote attacker can reach the interface directly, bypassing any password requirement and gaining the ability to retrieve sensitive information or upload arbitrary files.

Because the flaw requires no credentials, network access, or user interaction, any internet-facing or poorly segmented deployment can be exploited by an unauthorized attacker to read configuration data, credentials, or other sensitive content and to place malicious files on the system. The associated CVSS 4.0 score of 10.0 reflects the maximum impact across confidentiality, integrity, and availability in both the vulnerable component and its environment.

CISA’s ICS advisory ICSA-25-044-16 and the vendor’s download and contact pages provide the authoritative guidance on mitigation steps and available updates; organizations should consult these sources for patch information and recommended hardening measures. The EPSS score currently stands at 0.6723 with no material change from its peak, indicating sustained exploitation interest since disclosure.

EU & UK References

Vulnerability details

The administrative web interface of mySCADA myPRO Manager can be accessed without authentication which could allow an unauthorized attacker to retrieve sensitive information and upload files without the associated password.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
Why these techniques?

Authentication bypass on public-facing admin web interface directly enables T1190 exploitation; facilitates T1005 via unauthorized sensitive data retrieval and T1105 via arbitrary file uploads without credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-25067Same product: Myscada Mypro
CVE-2025-22896Same product: Myscada Mypro
CVE-2025-30111Shared CWE-306
CVE-2024-13186Shared CWE-306
CVE-2026-34732Shared CWE-306
CVE-2025-25224Shared CWE-306
CVE-2025-43428Shared CWE-306
CVE-2026-42796Shared CWE-306
CVE-2026-32646Shared CWE-306
CVE-2026-2754Shared CWE-306

Affected Assets

myscada
mypro
≤ 1.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires limiting critical administrative functions without identification or authentication, preventing unauthorized access to the mySCADA myPRO Manager web interface.

prevent

Mandates identification and authentication for organizational users before system access, mitigating the complete lack of credentials required for the vulnerable admin interface.

prevent

Enforces approved access control policies to block unauthorized retrieval of sensitive information and file uploads via the authentication-bypassed interface.

References