CVE-2025-25709
Published: 12 March 2025
Summary
CVE-2025-25709 is a high-severity an unspecified weakness vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 19.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-25709, published on 2025-03-12, is a privilege escalation vulnerability in dtp.ae tNexus Airport View version 2.8. The issue resides in the addUser and updateUser endpoints, where a remote attacker can exploit flawed access controls to elevate their privileges. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to network accessibility, low attack complexity, and significant confidentiality impact without affecting integrity or availability.
A remote attacker requires no prior privileges, authentication, or user interaction to exploit the vulnerability over the network. By targeting the addUser or updateUser endpoints, the attacker can escalate to higher privilege levels, potentially gaining unauthorized access to sensitive data and achieving high confidentiality impact as reflected in the CVSS metrics.
Mitigation details and further technical analysis are available in the referenced vulnerability research repository at https://github.com/z5jt/vulnerability-research/tree/main/CVE-2025-25709.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7679
Vulnerability details
An issue in dtp.ae tNexus Airport View v.2.8 allows a remote attacker to escalate privileges via the addUser and updateUser endpoints
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an unauthenticated remote privilege escalation vulnerability in a public-facing web application due to flawed access controls on addUser/updateUser endpoints, directly enabling T1190 for initial access via public app exploitation and T1068 for privilege escalation.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations on endpoints like addUser and updateUser to prevent unauthorized privilege escalation due to flawed access controls.
Implements least privilege to restrict user and process access, mitigating the ability to escalate privileges via the vulnerable endpoints.
Manages account creation and updates to ensure proper authorization checks before privilege changes on addUser and updateUser endpoints.