CVE-2025-25333
Published: 27 February 2025
Summary
CVE-2025-25333 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 44.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-25333 is a vulnerability in the IKEA CN iOS app version 4.13.0 that enables attackers to access sensitive user information through a crafted link. Published on 2025-02-27, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with network accessibility, low complexity, no privileges or user interaction required, and no effect on integrity or availability. The issue aligns with CWE-200, improper handling of sensitive information exposure.
The attack scenario involves unauthenticated remote attackers crafting and distributing malicious links to targeted users of the vulnerable app. Upon interaction with the link, attackers can retrieve sensitive user data without further authentication, making it exploitable by anyone with basic network reach to potential victims running IKEA CN iOS 4.13.0.
Advisories referenced in https://github.com/ZhouZiyi1/Vuls/blob/main/250116-IKEACN/250116-IKEACN.pdf detail the vulnerability, but no specific patch or mitigation instructions are provided in the available data. Security practitioners should advise users to update the app if newer versions are released and avoid interacting with unsolicited links from IKEA CN sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5461
Vulnerability details
An issue in IKEA CN iOS 4.13.0 allows attackers to access sensitive user information via supplying a crafted link.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables disclosure of sensitive user data when a victim interacts with a crafted malicious link, directly matching the Malicious Link sub-technique for user execution leading to information disclosure.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring identification, reporting, and correction of the specific flaw in the IKEA CN iOS app that exposes sensitive user information via crafted links.
Prevents exploitation of crafted links by enforcing input validation restrictions at application boundaries to block improper handling leading to sensitive data exposure.
Enforces access controls on publicly accessible app interfaces to protect sensitive user information from unauthorized access triggered by crafted links.