CVE-2025-25967

High

Published: 03 March 2025

Published

03 March 2025

Modified

06 March 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0043 62.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25967 is a high-severity CSRF (CWE-352) vulnerability in Ddsn Acora Cms. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

SC-23 mandates session authenticity mechanisms like CSRF tokens to protect against forged requests, directly addressing the absence of CSRF protections in this vulnerability.

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of information inputs including CSRF tokens, preventing processing of unauthorized crafted requests that exploit the lack of validation.

SI-2 Flaw Remediation good match

prevent

SI-2 ensures identification, reporting, and correction of the specific CSRF flaw, implementing the missing protections to mitigate exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1136.001 Local Account Persistence

Adversaries may create a local account to maintain access to victim systems.

attack.mitre.org →

T1531 Account Access Removal Impact

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.

attack.mitre.org →

Why these techniques?

CSRF in public-facing Acora CMS (T1190) enables unauthorized exploitation to create local user accounts (T1136.001) or perform account deletions/removals (T1531) using a victim's authenticated session.

NVD Description

Acora CMS version 10.1.1 is vulnerable to Cross-Site Request Forgery (CSRF). This flaw enables attackers to trick authenticated users into performing unauthorized actions, such as account deletion or user creation, by embedding malicious requests in external content. The lack of…

CSRF protections allows exploitation via crafted requests.

Deeper analysisAI

Acora CMS version 10.1.1 is affected by CVE-2025-25967, a Cross-Site Request Forgery (CSRF) vulnerability classified under CWE-352. Published on 2025-03-03, the flaw arises from the absence of CSRF protections, allowing crafted requests to be processed without proper validation. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Attackers can exploit this vulnerability without requiring authentication privileges (PR:N) by embedding malicious requests in external content, such as webpages or emails, to trick logged-in users into executing unintended actions. Successful exploitation enables unauthorized operations like account deletion or user creation, leveraging network accessibility (AV:N), low attack complexity (AC:L), and user interaction (UI:R) to achieve high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) within the unchanged scope (S:U).

Mitigation guidance and additional details are available in the referenced advisory at https://github.com/padayali-JD/CVE-2025-25967.