Cyber Resilience

CVE-2025-25749

HighPublic PoC

Published: 11 March 2025

Published
11 March 2025
Modified
07 April 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0133 80.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25749 is a high-severity Weak Password Requirements (CWE-521) vulnerability in Digitaldruid Hoteldruid. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked in the top 19.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-25749 is a weakness in HotelDruid versions 3.0.7 and earlier that stems from missing password strength policy enforcement, allowing users to configure arbitrarily weak credentials. The issue is tracked as CWE-521 and carries a CVSS 3.1 base score of 7.1 reflecting network attack vector, high attack complexity, and low-privileged access without user interaction.

An authenticated attacker who can reach the application can supply weak passwords during account creation or modification. Successful exploitation may lead to credential compromise that grants the attacker elevated confidentiality and integrity access along with limited availability impact on the affected HotelDruid instance.

The single reference URL provides disclosure details but contains no information on vendor patches, configuration workarounds, or official mitigation guidance. The associated EPSS score remains flat at 0.0133 with no material increase after publication.

EU & UK References

Vulnerability details

An issue in HotelDruid version 3.0.7 and earlier allows users to set weak passwords due to the lack of enforcement of password strength policies.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
Why these techniques?

The vulnerability's lack of password strength enforcement (CWE-521) directly allows weak passwords on accounts, explicitly enabling subsequent brute-force and guessing attacks as described in the CVE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-25748Same product: Digitaldruid Hoteldruid
CVE-2025-25211Shared CWE-521
CVE-2025-1341Shared CWE-521
CVE-2025-55269Shared CWE-521
CVE-2026-33771Shared CWE-521
CVE-2025-22390Shared CWE-521
CVE-2026-25715Shared CWE-521
CVE-2023-37398Shared CWE-521
CVE-2025-53963Shared CWE-521
CVE-2025-27663Shared CWE-521

Affected Assets

digitaldruid
hoteldruid
≤ 3.0.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires enforcement of sufficient strength for authenticators like passwords during creation and modification, addressing the lack of password complexity policies in HotelDruid.

prevent

Mandates identification, reporting, and correction of the specific flaw enabling weak password setting, preventing exploitation through timely software remediation.

prevent

Limits consecutive unsuccessful logon attempts to block brute-force attacks that become feasible due to weak passwords set in HotelDruid.

References