CVE-2025-25585

HighPublic PoCLPE

Published: 18 March 2025

Published

18 March 2025

Modified

19 June 2025

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

EPSS Score 0.0010 27.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25585 is a high-severity Improper Access Control (CWE-284) vulnerability in R1Bbit Yimioa. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-2 (Account Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access to information and system resources, directly preventing unauthorized attackers from modifying administrator passwords due to incorrect access control in WebSecurityConfig.java.

AC-6 Least Privilege partial match

prevent

Employs least privilege to restrict access to sensitive functions like administrator password changes to only authorized users or processes necessary for tasks.

AC-2 Account Management partial match

prevent

Manages system accounts including protecting credentials from unauthorized changes and reviewing account usage, mitigating risks from flawed access controls allowing arbitrary password modifications.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1098 Account Manipulation Persistence

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.

attack.mitre.org →

Why these techniques?

The incorrect access control flaw directly enables unauthorized modification of administrator passwords, facilitating T1098 Account Manipulation and T1068 Exploitation for Privilege Escalation to gain admin access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Incorrect access control in the component /config/WebSecurityConfig.java of yimioa before v2024.07.04 allows unauthorized attackers to arbitrarily modify Administrator passwords.

Deeper analysisAI

CVE-2025-25585, published on 2025-03-18, is an incorrect access control vulnerability (CWE-284) in the /config/WebSecurityConfig.java component of yimioa versions prior to v2024.07.04. This flaw enables unauthorized attackers to arbitrarily modify Administrator passwords, with a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L), indicating high confidentiality and integrity impacts alongside low availability impact.

A local attacker with no required privileges can exploit this vulnerability through low-complexity means, but it requires user interaction. Successful exploitation allows the attacker to change Administrator passwords arbitrarily, potentially enabling unauthorized administrative access and control over the affected yimioa instance.

The vulnerability is documented in the issue tracker at https://gitee.com/r1bbit/yimioa/issues/IBI7PG. Mitigation requires updating to yimioa v2024.07.04 or later, which resolves the access control issue in WebSecurityConfig.java.