Cyber Resilience

CVE-2025-25333

High

Published: 27 February 2025

Published
27 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0022 44.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25333 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 44.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-25333 is a vulnerability in the IKEA CN iOS app version 4.13.0 that enables attackers to access sensitive user information through a crafted link. Published on 2025-02-27, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with network accessibility, low complexity, no privileges or user interaction required, and no effect on integrity or availability. The issue aligns with CWE-200, improper handling of sensitive information exposure.

The attack scenario involves unauthenticated remote attackers crafting and distributing malicious links to targeted users of the vulnerable app. Upon interaction with the link, attackers can retrieve sensitive user data without further authentication, making it exploitable by anyone with basic network reach to potential victims running IKEA CN iOS 4.13.0.

Advisories referenced in https://github.com/ZhouZiyi1/Vuls/blob/main/250116-IKEACN/250116-IKEACN.pdf detail the vulnerability, but no specific patch or mitigation instructions are provided in the available data. Security practitioners should advise users to update the app if newer versions are released and avoid interacting with unsolicited links from IKEA CN sources.

EU & UK References

Vulnerability details

An issue in IKEA CN iOS 4.13.0 allows attackers to access sensitive user information via supplying a crafted link.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

The vulnerability enables disclosure of sensitive user data when a victim interacts with a crafted malicious link, directly matching the Malicious Link sub-technique for user execution leading to information disclosure.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13796Shared CWE-200
CVE-2025-27784Shared CWE-200
CVE-2025-26001Shared CWE-200
CVE-2026-42826Shared CWE-200
CVE-2025-24232Shared CWE-200
CVE-2026-4712Shared CWE-200
CVE-2024-48125Shared CWE-200
CVE-2025-25975Shared CWE-200
CVE-2025-55265Shared CWE-200
CVE-2025-27604Shared CWE-200

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring identification, reporting, and correction of the specific flaw in the IKEA CN iOS app that exposes sensitive user information via crafted links.

prevent

Prevents exploitation of crafted links by enforcing input validation restrictions at application boundaries to block improper handling leading to sensitive data exposure.

prevent

Enforces access controls on publicly accessible app interfaces to protect sensitive user information from unauthorized access triggered by crafted links.

References