CVE-2025-24895

Critical

Published: 18 February 2025

Published

18 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0006 17.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24895 is a critical-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the SAML signature validation flaw by requiring timely identification, reporting, and patching of the vulnerable CIE.AspNetCore.Authentication library to version 2.1.0.

SI-10 Information Input Validation good match

prevent

Requires validation of SAML response inputs to ensure proper XML structure and signature verification, preventing acceptance of injected legitimately signed elements from IdP metadata.

SI-7 Software, Firmware, and Information Integrity partial match

preventdetect

Mandates integrity verification mechanisms for software and information, including cryptographic checks on SAML assertions to detect and prevent unauthorized modifications or bypasses.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1606.002 SAML Tokens Credential Access

An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.

attack.mitre.org →

Why these techniques?

Vulnerability in SAML response signature validation enables crafting arbitrary SAML responses for impersonation (T1606.002) and remote exploitation of public-facing auth services (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

CIE.AspNetCore.Authentication is an AspNetCore Remote Authenticator for CIE 3.0. Authentication using Spid and CIE is based on the SAML2 standard which provides two entities: 1. Identity Provider (IDP): the system that authenticates users and provides identity information (SAML affirmation) to…

the Service Provider, in essence, is responsible for the management of the credentials and identity of users; 2. Service Provider (SP): the system that provides a service to the user and relies on the Identity Provider to authenticate the user, receives SAML assertions from the IdP to grant access to resources. The library cie-aspnetcore refers to the second entity, the SP, and implements the validation logic of SAML assertions within SAML responses. In affected versions there is no guarantee that the first signature refers to the root object, it follows that if an attacker injects an item signed as the first element, all other signatures will not be verified. The only requirement is to have an XML element legitimately signed by the IdP, a condition that is easily met using the IdP's public metadata. An attacker could create an arbitrary SAML response that would be accepted by SPs using vulnerable SDKs, allowing him to impersonate any Spid and/or CIE user. This issue has been addressed in version 2.1.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Deeper analysisAI

CVE-2025-24895 is a critical vulnerability in the CIE.AspNetCore.Authentication library, an ASP.NET Core remote authenticator for CIE 3.0 that handles SAML2 assertion validation for Service Providers (SPs) in SPID and CIE authentication systems. The flaw stems from inadequate signature validation in SAML responses, where there is no guarantee that the first signature applies to the root object. This allows an attacker to inject a legitimately signed XML element—easily obtained from the Identity Provider's (IdP) public metadata—as the first element, causing subsequent signatures to go unverified. Affected versions are those prior to 2.1.0, mapped to CWE-287 (Improper Authentication), with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

Unauthenticated remote attackers can exploit this vulnerability by crafting an arbitrary SAML response that vulnerable SPs will accept as valid. By positioning a signed element from IdP metadata at the front, the attacker bypasses core validation logic, enabling full impersonation of any SPID or CIE user. Exploitation requires no user interaction or privileges, granting high confidentiality and integrity impacts, such as unauthorized access to protected resources.

The GitHub security advisory (https://github.com/italia/cie-aspnetcore/security/advisories/GHSA-vq63-8f72-f486) states that the issue is fully addressed in version 2.1.0, urging all users to upgrade immediately. No workarounds are available.

Details

CWE(s): CWE-287

CVEs Like This One

CVE-2025-24894Shared CWE-287

CVE-2026-27197Shared CWE-287

CVE-2026-5570Shared CWE-287

CVE-2025-52395Shared CWE-287

CVE-2025-15484Shared CWE-287

CVE-2026-41571Shared CWE-287

CVE-2026-2174Shared CWE-287

CVE-2025-71279Shared CWE-287

CVE-2024-13804Shared CWE-287

CVE-2026-39322Shared CWE-287

References

https://github.com/italia/cie-aspnetcore/security/advisories/GHSA-vq63-8f72-f486
security-advisories@github.com