CVE-2025-24924
Published: 05 March 2025
Summary
CVE-2025-24924 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Cisa (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-24924 is a critical vulnerability (CVSS score 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting GMOD Apollo, an open-source genome annotation platform. The issue, classified under CWE-306 (Missing Authentication for Critical Function), arises because certain functionality within GMOD Apollo does not require authentication when passed with an administrative username. The vulnerability was published on 2025-03-05.
Remote, unauthenticated attackers with network access to a vulnerable GMOD Apollo instance can exploit this flaw by supplying an administrative username, bypassing authentication controls. Successful exploitation grants high-impact access, enabling attackers to achieve full compromise of the affected system through unauthorized confidentiality breaches, integrity modifications, and availability disruptions.
Mitigation guidance is available in the CISA ICS Advisory ICSA-25-063-07, accessible at https://www.cisa.gov/news-events/ics-advisories/icsa-25-063-07. Security practitioners should consult this advisory for patching instructions and recommended workarounds.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6196
Vulnerability details
Certain functionality within GMOD Apollo does not require authentication when passed with an administrative username
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a missing authentication vulnerability in a public-facing web application (GMOD Apollo), allowing remote unauthenticated attackers to bypass controls and achieve full compromise, directly mapping to exploitation of public-facing applications for initial access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-14 directly requires identifying, risk-assessing, controlling, and monitoring functions without authentication, preventing exploitation of GMOD Apollo's unauthenticated administrative functionality.
AC-3 enforces approved access authorizations, mitigating the bypass of authentication controls for administrative actions in GMOD Apollo.
IA-2 mandates unique identification and authentication for organizational users, countering the vulnerability allowing admin access solely via username without verification.