CVE-2025-25182
Published: 12 February 2025
Summary
CVE-2025-25182 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-25182 is an authentication bypass vulnerability (CWE-290) affecting Stroom, an open-source data processing, storage, and analysis platform developed by GCHQ. The issue impacts versions starting from 7.2-beta.53 up to but not including 7.2.24, 7.3-beta.22, 7.4.4, and 7.5-beta.2. It arises specifically when Stroom is configured with AWS Application Load Balancer (ALB) authentication integration and the application is deployed in a way that makes it directly network-accessible outside of the ALB itself. The vulnerability carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), indicating high severity due to its network reachability and lack of prerequisites.
Attackers can exploit this vulnerability remotely without authentication by directly accessing the Stroom instance bypassing the ALB. Successful exploitation grants unauthorized access to the system. Additionally, it may enable server-side request forgery (SSRF), potentially targeting the AWS instance metadata URL to achieve remote code execution or further privilege escalation in AWS environments.
The vulnerability has been addressed in Stroom versions 7.2.24, 7.3-beta.22, 7.4.4, and 7.5-beta.2. Security practitioners should upgrade to one of these fixed releases. Detailed information, including the patch via pull request, is available in the GitHub security advisory (GHSA-x489-xx2m-vc43) and the corresponding pull request (#4320).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4073
Vulnerability details
Stroom is a data processing, storage and analysis platform. A vulnerability exists starting in version 7.2-beta.53 and prior to versions 7.2.24, 7.3-beta.22, 7.4.4, and 7.5-beta.2 that allows authentication bypass to a Stroom system when configured with ALB and installed in…
more
a way that the application is accessible not through the ALB itself. This vulnerability may also allow for server-side request forgery which may lead to code execution or further privileges escalations when using the AWS metadata URL. This scenario assumes that Stroom must be configured to use ALB Authentication integration and the application is network accessible. The vulnerability has been fixed in versions 7.2.24, 7.3-beta.22, 7.4.4, and 7.5-beta.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in public-facing Stroom app (when ALB misconfigured) enables T1190 for initial unauthorized access. Additionally facilitates SSRF to AWS metadata API, enabling T1552.005 for credential theft and potential RCE/privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the authentication bypass vulnerability by identifying, reporting, and applying patches to the fixed Stroom versions (7.2.24, 7.3-beta.22, 7.4.4, 7.5-beta.2).
Prevents direct network access to the Stroom application by monitoring and controlling communications at external boundaries, forcing all traffic through the authenticated ALB.
Enforces approved authorizations for logical access to system resources, reducing the risk of authentication bypass even in misconfigured direct access scenarios.