Cyber Resilience

CVE-2025-25211

Critical

Published: 31 March 2025

Published
31 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0050 66.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25211 is a critical-severity Weak Password Requirements (CWE-521) vulnerability in Jvn (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked in the top 33.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-25211 is a weak password requirements vulnerability, classified under CWE-521, affecting all versions of the CHOCO TEI WATCHER mini (IB-MCT001) device. Published on March 31, 2025, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites for exploitation.

The vulnerability enables remote attackers with no privileges or user interaction to perform brute-force attacks against weak password policies, resulting in unauthorized access and login to the device. Exploitation could lead to high-impact compromise of confidentiality, integrity, and availability, such as unauthorized control over the monitoring functions of the affected hardware.

Advisories from JVN (JVNVU#91154745), CISA (ICS-A-25-084-04), vendor Inaba (chocomini_vulnerability.pdf), and Nozomi Networks detail mitigation strategies, with the latter noting unpatched vulnerabilities in production-line cameras that may enable remote surveillance and hinder stoppage recording. Security practitioners should consult these references for patch availability and hardening guidance.

EU & UK References

Vulnerability details

Weak password requirements issue exists in CHOCO TEI WATCHER mini (IB-MCT001) all versions. If this issue is exploited, a brute-force attack may allow an attacker unauthorized access and login.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
Why these techniques?

Weak password requirements (CWE-521) directly enable remote brute-force attacks for unauthorized access without privileges or interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-25749Shared CWE-521
CVE-2025-1341Shared CWE-521
CVE-2025-55269Shared CWE-521
CVE-2026-33771Shared CWE-521
CVE-2025-27663Shared CWE-521
CVE-2025-22390Shared CWE-521
CVE-2026-25715Shared CWE-521
CVE-2025-55252Shared CWE-521
CVE-2023-37398Shared CWE-521
CVE-2025-63747Shared CWE-521

Affected Assets

Jvn
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates management of authenticators with sufficient strength of mechanism to address the weak password requirements enabling brute-force attacks in this CVE.

prevent

Enforces limits on consecutive unsuccessful logon attempts to thwart brute-force exploitation of weak passwords as described in the CVE.

prevent

Requires timely identification, reporting, and correction of flaws such as the weak password requirements vulnerability affecting all versions of the device.

References