CVE-2025-25748

High

Published: 11 March 2025

Published

11 March 2025

Modified

29 January 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.0008 22.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25748 is a high-severity CSRF (CWE-352) vulnerability in Digitaldruid Hoteldruid. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 22.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Account Manipulation (T1098). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

SC-23 requires mechanisms like CSRF tokens or origin validation to protect session authenticity, directly addressing the lack of proper CSRF protections in the gestione_utenti.php endpoint that allows forged requests to modify user passwords.

SI-10 Information Input Validation good match

prevent

SI-10 mandates validation of information inputs, including CSRF tokens or referrer/origin headers, to prevent unauthorized forged requests exploiting the vulnerable endpoint.

IA-11 Re-authentication partial match

prevent

IA-11 requires re-authentication for sensitive transactions like user password modifications, providing an additional layer to block CSRF exploitation even if initial session protections fail.

MITRE ATT&CK Enterprise TechniquesAI

T1098 Account Manipulation Persistence

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.

attack.mitre.org →

Why these techniques?

The CSRF vulnerability on the user management endpoint directly enables unauthorized password modifications on behalf of authenticated users, which maps to account manipulation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A CSRF vulnerability in the gestione_utenti.php endpoint of HotelDruid 3.0.7 allows attackers to perform unauthorized actions (e.g., modifying user passwords) on behalf of authenticated users by exploiting the lack of origin or referrer validation and the absence of CSRF tokens.…

NOTE: this is disputed because there is an id_sessione CSRF token.

Deeper analysisAI

CVE-2025-25748 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, affecting the gestione_utenti.php endpoint in HotelDruid version 3.0.7. Published on 2025-03-11, it stems from a lack of origin or referrer validation and the absence of CSRF tokens, enabling attackers to perform unauthorized actions—such as modifying user passwords—on behalf of authenticated users. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L). It is disputed, however, due to the presence of an id_sessione CSRF token in the software.

Exploitation requires local access and low privileges, meaning an attacker must target an already-authenticated user with low privileges. The low attack complexity and lack of required user interaction (beyond the victim's authentication state) allow attackers to craft malicious requests that the victim submits unwittingly, such as via a malicious webpage. Successful exploitation grants high confidentiality and integrity impacts—enabling actions like password changes—and a low availability impact.

Advisory details are available in the referenced post at https://www.huyvo.net/post/cve-2025-25748-cross-site-request-forgery-csrf-vulnerability-in-hoteldruid-3-0-7. No specific patch or mitigation guidance is provided in the CVE description.