Cyber Resilience

CVE-2025-25182

Critical

Published: 12 February 2025

Published
12 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0005 15.9th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25182 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-25182 is an authentication bypass vulnerability (CWE-290) affecting Stroom, an open-source data processing, storage, and analysis platform developed by GCHQ. The issue impacts versions starting from 7.2-beta.53 up to but not including 7.2.24, 7.3-beta.22, 7.4.4, and 7.5-beta.2. It arises specifically when Stroom is configured with AWS Application Load Balancer (ALB) authentication integration and the application is deployed in a way that makes it directly network-accessible outside of the ALB itself. The vulnerability carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), indicating high severity due to its network reachability and lack of prerequisites.

Attackers can exploit this vulnerability remotely without authentication by directly accessing the Stroom instance bypassing the ALB. Successful exploitation grants unauthorized access to the system. Additionally, it may enable server-side request forgery (SSRF), potentially targeting the AWS instance metadata URL to achieve remote code execution or further privilege escalation in AWS environments.

The vulnerability has been addressed in Stroom versions 7.2.24, 7.3-beta.22, 7.4.4, and 7.5-beta.2. Security practitioners should upgrade to one of these fixed releases. Detailed information, including the patch via pull request, is available in the GitHub security advisory (GHSA-x489-xx2m-vc43) and the corresponding pull request (#4320).

EU & UK References

Vulnerability details

Stroom is a data processing, storage and analysis platform. A vulnerability exists starting in version 7.2-beta.53 and prior to versions 7.2.24, 7.3-beta.22, 7.4.4, and 7.5-beta.2 that allows authentication bypass to a Stroom system when configured with ALB and installed in…

more

a way that the application is accessible not through the ALB itself. This vulnerability may also allow for server-side request forgery which may lead to code execution or further privileges escalations when using the AWS metadata URL. This scenario assumes that Stroom must be configured to use ALB Authentication integration and the application is network accessible. The vulnerability has been fixed in versions 7.2.24, 7.3-beta.22, 7.4.4, and 7.5-beta.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

Authentication bypass in public-facing Stroom app (when ALB misconfigured) enables T1190 for initial unauthorized access. Additionally facilitates SSRF to AWS metadata API, enabling T1552.005 for credential theft and potential RCE/privilege escalation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-55925Shared CWE-290
CVE-2026-0834Shared CWE-290
CVE-2026-33131Shared CWE-290
CVE-2026-24372Shared CWE-290
CVE-2025-27671Shared CWE-290
CVE-2026-24853Shared CWE-290
CVE-2026-30975Shared CWE-290
CVE-2026-31889Shared CWE-290
CVE-2026-40575Shared CWE-290
CVE-2025-11250Shared CWE-290

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the authentication bypass vulnerability by identifying, reporting, and applying patches to the fixed Stroom versions (7.2.24, 7.3-beta.22, 7.4.4, 7.5-beta.2).

prevent

Prevents direct network access to the Stroom application by monitoring and controlling communications at external boundaries, forcing all traffic through the authenticated ALB.

prevent

Enforces approved authorizations for logical access to system resources, reducing the risk of authentication bypass even in misconfigured direct access scenarios.

References