Cyber Posture

CVE-2025-25749

HighPublic PoC

Published: 11 March 2025

Published
11 March 2025
Modified
07 April 2025
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0133 80.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25749 is a high-severity Weak Password Requirements (CWE-521) vulnerability in Digitaldruid Hoteldruid. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked in the top 19.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Brute Force (T1110). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

Directly requires enforcement of sufficient strength for authenticators like passwords during creation and modification, addressing the lack of password complexity policies in HotelDruid.

SI-2 Flaw Remediation good match
prevent

Mandates identification, reporting, and correction of the specific flaw enabling weak password setting, preventing exploitation through timely software remediation.

AC-7 Unsuccessful Logon Attempts partial match
prevent

Limits consecutive unsuccessful logon attempts to block brute-force attacks that become feasible due to weak passwords set in HotelDruid.

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
attack.mitre.org →
Why these techniques?

The vulnerability's lack of password strength enforcement (CWE-521) directly allows weak passwords on accounts, explicitly enabling subsequent brute-force and guessing attacks as described in the CVE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An issue in HotelDruid version 3.0.7 and earlier allows users to set weak passwords due to the lack of enforcement of password strength policies.

Deeper analysisAI

CVE-2025-25749 affects HotelDruid version 3.0.7 and earlier, where users can set weak passwords due to the absence of password strength policy enforcement. Published on 2025-03-11, this vulnerability falls under CWE-521 (Weak Password Requirements) and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L), indicating a high-severity issue stemming from inadequate controls on password complexity during account creation or modification.

An attacker with low privileges (PR:L), such as an authenticated user, can exploit this over the network (AV:N) with high attack complexity (AC:H) and no user interaction required (UI:N). By setting weak passwords on their own or accessible accounts, the attacker enables subsequent brute-force or guessing attacks, potentially achieving high impacts on confidentiality and integrity (C:H/I:H) such as unauthorized data access or modification, alongside low availability impact (A:L).

Mitigation guidance is available in the referenced advisory at https://www.huyvo.net/post/cve-2025-25749-weak-password-policy-in-hoteldruid-3-0-7.

Details

CWE(s)
CWE-521

Affected Products

digitaldruid
hoteldruid
≤ 3.0.7

CVEs Like This One

CVE-2025-25748Same product: Digitaldruid Hoteldruid
CVE-2025-1341Shared CWE-521
CVE-2025-25211Shared CWE-521
CVE-2025-55269Shared CWE-521
CVE-2026-33771Shared CWE-521
CVE-2025-27663Shared CWE-521
CVE-2026-25715Shared CWE-521
CVE-2025-55252Shared CWE-521
CVE-2025-22390Shared CWE-521
CVE-2025-63747Shared CWE-521

References