CVE-2025-25598
Published: 13 March 2025
Summary
CVE-2025-25598 is a high-severity Improper Access Control (CWE-284) vulnerability in Inovalogic Customer Monitor. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 25.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-25598, published on 2025-03-13, is an incorrect access control vulnerability (CWE-284) in the scheduled tasks console of Inova Logic CUSTOMER MONITOR (CM) version 3.1.757.1. The flaw allows attackers to escalate privileges by placing a crafted executable into a scheduled task. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to its potential for significant impact across confidentiality, integrity, and availability.
Attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and without requiring user interaction (UI:N). By leveraging the flawed access controls in the scheduled tasks console, they can insert a malicious executable that executes with elevated privileges upon scheduling, enabling privilege escalation and potentially full system compromise.
Mitigation details are available in the referenced advisory at https://github.com/quriusfox/vulnerability-research/tree/main/CVE-2025-25598.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6391
Vulnerability details
Incorrect access control in the scheduled tasks console of Inova Logic CUSTOMER MONITOR (CM) v3.1.757.1 allows attackers to escalate privileges via placing a crafted executable into a scheduled task.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Incorrect access control in the scheduled tasks console enables privilege escalation by placing crafted executables into scheduled tasks (T1068) and facilitates abuse of scheduled tasks for execution/persistence (T1053.005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved access authorizations in the scheduled tasks console to prevent low-privileged attackers from placing crafted executables.
Applies least privilege to ensure scheduled tasks do not execute with elevated privileges beyond what is necessary, blocking escalation.
Restricts access to modify scheduled task configurations to authorized personnel only, mitigating unauthorized insertion of malicious executables.