CVE-2025-25907

HighPublic PoC

Published: 10 March 2025

Published

10 March 2025

Modified

21 May 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0010 26.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25907 is a high-severity CSRF (CWE-352) vulnerability in Tianti Project Tianti. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Create Account (T1136); ranked at the 26.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Create Account (T1136) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of inputs to the /user/ajax/save component, directly blocking crafted GET or POST requests lacking valid anti-CSRF tokens.

SC-23 Session Authenticity good match

prevent

SC-23 mandates protections for session authenticity, preventing attackers from forging requests to execute arbitrary operations on behalf of authenticated users.

AC-3 Access Enforcement partial match

prevent

AC-3 enforces approved access authorizations, addressing CSRF by ensuring only legitimate requests to the vulnerable endpoint are processed.

MITRE ATT&CK Enterprise TechniquesAI

T1136 Create Account Persistence

Adversaries may create an account to maintain access to victim systems.

attack.mitre.org →

T1098 Account Manipulation Persistence

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CSRF vulnerability in user management endpoints (/user/ajax/save, /user/ajax/upd/status) enables exploitation of public-facing web application (T1190) to perform unauthorized account creation (T1136) and manipulation actions such as add, edit, delete, and restore (T1098) on behalf of authenticated victims via crafted requests.

NVD Description

tianti v2.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /user/ajax/save. This vulnerability allows attackers to execute arbitrary operations via a crafted GET or POST request.

Deeper analysisAI

CVE-2025-25907, published on 2025-03-10, is a Cross-Site Request Forgery (CSRF) vulnerability (CWE-352) affecting tianti version 2.3 in the /user/ajax/save component. This flaw enables attackers to execute arbitrary operations via a crafted GET or POST request. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H), reflecting high severity due to its potential for significant impacts on confidentiality, integrity, and availability.

The vulnerability can be exploited by unauthenticated attackers (PR:N) accessible over the network (AV:N) with low attack complexity (AC:L), but it requires user interaction (UI:R), such as tricking a victim into visiting a malicious site or clicking a forged link. Successful exploitation allows attackers to perform unauthorized actions on behalf of the authenticated user, potentially compromising the application's data or functionality with high confidentiality, integrity, and availability impacts.

Mitigation details are available in the referenced GitHub issue at https://github.com/xujeff/tianti/issues/39.