CVE-2025-25749
Published: 11 March 2025
Summary
CVE-2025-25749 is a high-severity Weak Password Requirements (CWE-521) vulnerability in Digitaldruid Hoteldruid. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked in the top 19.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-25749 is a weakness in HotelDruid versions 3.0.7 and earlier that stems from missing password strength policy enforcement, allowing users to configure arbitrarily weak credentials. The issue is tracked as CWE-521 and carries a CVSS 3.1 base score of 7.1 reflecting network attack vector, high attack complexity, and low-privileged access without user interaction.
An authenticated attacker who can reach the application can supply weak passwords during account creation or modification. Successful exploitation may lead to credential compromise that grants the attacker elevated confidentiality and integrity access along with limited availability impact on the affected HotelDruid instance.
The single reference URL provides disclosure details but contains no information on vendor patches, configuration workarounds, or official mitigation guidance. The associated EPSS score remains flat at 0.0133 with no material increase after publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7682
Vulnerability details
An issue in HotelDruid version 3.0.7 and earlier allows users to set weak passwords due to the lack of enforcement of password strength policies.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability's lack of password strength enforcement (CWE-521) directly allows weak passwords on accounts, explicitly enabling subsequent brute-force and guessing attacks as described in the CVE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires enforcement of sufficient strength for authenticators like passwords during creation and modification, addressing the lack of password complexity policies in HotelDruid.
Mandates identification, reporting, and correction of the specific flaw enabling weak password setting, preventing exploitation through timely software remediation.
Limits consecutive unsuccessful logon attempts to block brute-force attacks that become feasible due to weak passwords set in HotelDruid.