Cyber Resilience

CVE-2025-27110

HighPublic PoC

Published: 25 February 2025

Published
25 February 2025
Modified
28 February 2025
KEV Added
Patch
CVSS Score v4 7.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0027 51.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27110 is a high-severity Encoding Error (CWE-172) vulnerability in Trustwave Modsecurity. Its CVSS base score is 7.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Stealth (T1211); ranked in the top 48.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-27110 is a vulnerability in Libmodsecurity3 version 3.0.13, a core component of the ModSecurity v3 project that serves as an interface between ModSecurity Connectors and web traffic processing pipelines. The flaw causes the library to fail in decoding HTML entities that contain leading zeroes, stemming from an encoding error classified under CWE-172. This issue is specific to version 3.0.13 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, user interaction, or special conditions. Exploitation enables high integrity impact by preventing proper decoding of certain HTML entities, potentially allowing attackers to bypass ModSecurity's traditional web application firewall rules during traffic inspection.

The vulnerability is addressed in Libmodsecurity3 version 3.0.14, which includes a targeted fix. No known workarounds exist. Additional details are available in the ModSecurity GitHub issue (https://github.com/owasp-modsecurity/ModSecurity/issues/3340) and security advisory (https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-42w7-rmv5-4x2j).

EU & UK References

Vulnerability details

Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in…

more

3.0.13, Libmodsecurity3 can't decode encoded HTML entities if they contains leading zeroes. Version 3.0.14 contains a fix. No known workarounds are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1211 Exploitation for Stealth Stealth
Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
Why these techniques?

The vulnerability allows remote exploitation of a public-facing WAF component to bypass rule inspection via HTML entity decoding failure, directly enabling defense evasion.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

trustwave
modsecurity
3.0.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely patching of known flaws like the HTML entity decoding failure in Libmodsecurity3 v3.0.13 to prevent WAF bypass exploitation.

detect

Vulnerability scanning identifies the presence of vulnerable Libmodsecurity3 v3.0.13, enabling proactive remediation before exploitation.

detect

Monitoring security advisories such as GHSA-42w7-rmv5-4x2j provides awareness of the CVE-2025-27110 flaw in Libmodsecurity3 to initiate patching.

References