Cyber Resilience

CVE-2025-27615

High

Published: 10 March 2025

Published
10 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0006 19.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27615 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-14 (Public Access Protections).

Deeper analysis

CVE-2025-27615, published on 2025-03-10, affects umatiGateway, an open-source software application designed to connect OPC Unified Architecture (OPC UA) servers with an MQTT broker using JSON messages. The vulnerability stems from the user interface potentially being publicly accessible when umatiGateway is deployed via the provided docker-compose file. This exposure allows unauthorized remote access to view and alter the application's configuration. It carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H) and is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

Any network-accessible attacker can exploit this vulnerability without privileges or user interaction by directly connecting to the exposed UI on port 8080. Exploitation enables viewing sensitive configuration details and modifying settings, which could compromise the integrity of the gateway's operations (low impact per CVSS) and disrupt availability (high impact), such as by altering connectivity between OPC UA servers and the MQTT broker.

Mitigation is provided in commit 5d81a3412bc0051754a3095d89a06d6d743f2b16, which updates the docker-compose configuration to bind the UI to 127.0.0.1:8080:8080, thereby restricting access to the local network only. For deployments unable to apply this patch immediately, blocking inbound traffic on port 8080 via a firewall is advised as a workaround, though it may not fully prevent access due to Docker's iptables-based port forwarding rules. Further details are documented in the GitHub security advisory GHSA-qf9w-x9qx-2mq7, pull request 101, and related README updates.

EU & UK References

Vulnerability details

umatiGateway is software for connecting OPC Unified Architecture servers with an MQTT broker utilizing JSON messages. The user interface may possibly be publicly accessible with umatiGateway's provided docker-compose file. With this access, the configuration can be viewed and altered. Commit…

more

5d81a3412bc0051754a3095d89a06d6d743f2b16 uses `127.0.0.1:8080:8080` to limit access to the local network. For those who are unable to use this proposed patch, a firewall on Port 8080 may block remote access, but the workaround may not be perfect because Docker may also bypass a firewall by its iptable based rules for port forwarding.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability exposes a public-facing web UI (port 8080) without authentication due to docker-compose misconfiguration, directly enabling remote exploitation of the application for unauthorized config access and modification.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13796Shared CWE-200
CVE-2025-25975Shared CWE-200
CVE-2024-12142Shared CWE-200
CVE-2025-25951Shared CWE-200
CVE-2026-34297Shared CWE-200
CVE-2024-26480Shared CWE-200
CVE-2026-24498Shared CWE-200
CVE-2025-22828Shared CWE-200
CVE-2026-23659Shared CWE-200
CVE-2024-11282Shared CWE-200

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires protections for publicly accessible system components like the exposed UI on port 8080 to prevent unauthorized viewing and alteration of sensitive configurations.

prevent

Implements boundary protections such as firewalls to monitor and control external access to the vulnerable UI port, blocking remote exploitation.

prevent

Mandates secure configuration settings, such as binding the UI to 127.0.0.1 in docker-compose, to restrict access to local networks only.

References