Cyber Resilience

CVE-2025-25598

High

Published: 13 March 2025

Published
13 March 2025
Modified
03 April 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0009 25.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25598 is a high-severity Improper Access Control (CWE-284) vulnerability in Inovalogic Customer Monitor. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 25.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-25598, published on 2025-03-13, is an incorrect access control vulnerability (CWE-284) in the scheduled tasks console of Inova Logic CUSTOMER MONITOR (CM) version 3.1.757.1. The flaw allows attackers to escalate privileges by placing a crafted executable into a scheduled task. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to its potential for significant impact across confidentiality, integrity, and availability.

Attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and without requiring user interaction (UI:N). By leveraging the flawed access controls in the scheduled tasks console, they can insert a malicious executable that executes with elevated privileges upon scheduling, enabling privilege escalation and potentially full system compromise.

Mitigation details are available in the referenced advisory at https://github.com/quriusfox/vulnerability-research/tree/main/CVE-2025-25598.

EU & UK References

Vulnerability details

Incorrect access control in the scheduled tasks console of Inova Logic CUSTOMER MONITOR (CM) v3.1.757.1 allows attackers to escalate privileges via placing a crafted executable into a scheduled task.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1053.005 Scheduled Task Execution
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code.
Why these techniques?

Incorrect access control in the scheduled tasks console enables privilege escalation by placing crafted executables into scheduled tasks (T1068) and facilitates abuse of scheduled tasks for execution/persistence (T1053.005).

CVEs Like This One

CVE-2026-48898Shared CWE-284
CVE-2026-25176Shared CWE-284
CVE-2026-48899Shared CWE-284
CVE-2026-37526Shared CWE-284
CVE-2024-56883Shared CWE-284
CVE-2026-42823Shared CWE-284
CVE-2026-0844Shared CWE-284
CVE-2026-41086Shared CWE-284
CVE-2026-35242Shared CWE-284
CVE-2026-33834Shared CWE-284

Affected Assets

inovalogic
customer monitor
3.1.757.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved access authorizations in the scheduled tasks console to prevent low-privileged attackers from placing crafted executables.

prevent

Applies least privilege to ensure scheduled tasks do not execute with elevated privileges beyond what is necessary, blocking escalation.

prevent

Restricts access to modify scheduled task configurations to authorized personnel only, mitigating unauthorized insertion of malicious executables.

References