Cyber Posture

CVE-2025-27138

CriticalPublic PoC

Published: 13 March 2025

Published
13 March 2025
Modified
21 March 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0060 69.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27138 is a critical-severity Improper Authentication (CWE-287) vulnerability in Dataease Dataease. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-2 Identification and Authentication (Organizational Users) good match
prevent

Requires robust identification and authentication of users, directly addressing the improper authentication flaw (CWE-287) in the TokenFilter class that enables unauthorized access.

AC-3 Access Enforcement good match
prevent

Mandates enforcement of approved access authorizations, countering the TokenFilter's failure to prevent unauthorized access (CWE-863).

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and remediation of flaws like this authentication bypass, as fixed in DataEase v2.10.6.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Authentication bypass vulnerability in public-facing web application (DataEase) with no credentials required enables direct exploitation for initial access via T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.6, there is a flaw in the authentication in the io.dataease.auth.filter.TokenFilter class, which may cause the risk of unauthorized access. The vulnerability has been fixed in…

more

v2.10.6. No known workarounds are available.

Deeper analysisAI

CVE-2025-27138 is an authentication flaw in DataEase, an open-source business intelligence and data visualization tool. Prior to version 2.10.6, the io.dataease.auth.filter.TokenFilter class contains a vulnerability that enables unauthorized access. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-287 (Improper Authentication) and CWE-863 (Incorrect Authorization).

Remote attackers require no privileges, authentication, or user interaction to exploit this over the network with low complexity. Successful exploitation allows unauthorized access to the application, resulting in high confidentiality, integrity, and availability impacts.

The issue is fixed in DataEase version 2.10.6, with no known workarounds available. Additional details are provided in the GitHub security advisory at https://github.com/dataease/dataease/security/advisories/GHSA-533g-whf8-q637.

Details

CWE(s)
CWE-287CWE-863

Affected Products

dataease
dataease
≤ 2.10.6

CVEs Like This One

CVE-2025-58045Same product: Dataease Dataease
CVE-2026-33083Same product: Dataease Dataease
CVE-2026-33082Same product: Dataease Dataease
CVE-2026-33122Same product: Dataease Dataease
CVE-2025-58046Same product: Dataease Dataease
CVE-2025-64164Same product: Dataease Dataease
CVE-2025-64428Same product: Dataease Dataease
CVE-2024-57707Same product: Dataease Dataease
CVE-2026-33084Same product: Dataease Dataease
CVE-2025-58748Same product: Dataease Dataease

References