Cyber Resilience

CVE-2025-24924

Critical

Published: 05 March 2025

Published
05 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0011 29.0th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24924 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Cisa (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-24924 is a critical vulnerability (CVSS score 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting GMOD Apollo, an open-source genome annotation platform. The issue, classified under CWE-306 (Missing Authentication for Critical Function), arises because certain functionality within GMOD Apollo does not require authentication when passed with an administrative username. The vulnerability was published on 2025-03-05.

Remote, unauthenticated attackers with network access to a vulnerable GMOD Apollo instance can exploit this flaw by supplying an administrative username, bypassing authentication controls. Successful exploitation grants high-impact access, enabling attackers to achieve full compromise of the affected system through unauthorized confidentiality breaches, integrity modifications, and availability disruptions.

Mitigation guidance is available in the CISA ICS Advisory ICSA-25-063-07, accessible at https://www.cisa.gov/news-events/ics-advisories/icsa-25-063-07. Security practitioners should consult this advisory for patching instructions and recommended workarounds.

EU & UK References

Vulnerability details

Certain functionality within GMOD Apollo does not require authentication when passed with an administrative username

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes a missing authentication vulnerability in a public-facing web application (GMOD Apollo), allowing remote unauthenticated attackers to bypass controls and achieve full compromise, directly mapping to exploitation of public-facing applications for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-21515Shared CWE-306
CVE-2025-57432Shared CWE-306
CVE-2026-27446Shared CWE-306
CVE-2026-21446Shared CWE-306
CVE-2021-47891Shared CWE-306
CVE-2025-41715Shared CWE-306
CVE-2026-24790Shared CWE-306
CVE-2025-21524Shared CWE-306
CVE-2025-53072Shared CWE-306
CVE-2025-40771Shared CWE-306

Affected Assets

Cisa
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventdetect

AC-14 directly requires identifying, risk-assessing, controlling, and monitoring functions without authentication, preventing exploitation of GMOD Apollo's unauthenticated administrative functionality.

prevent

AC-3 enforces approved access authorizations, mitigating the bypass of authentication controls for administrative actions in GMOD Apollo.

prevent

IA-2 mandates unique identification and authentication for organizational users, countering the vulnerability allowing admin access solely via username without verification.

References