CVE-2025-27615
Published: 10 March 2025
Summary
CVE-2025-27615 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-14 (Public Access Protections).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires protections for publicly accessible system components like the exposed UI on port 8080 to prevent unauthorized viewing and alteration of sensitive configurations.
Implements boundary protections such as firewalls to monitor and control external access to the vulnerable UI port, blocking remote exploitation.
Mandates secure configuration settings, such as binding the UI to 127.0.0.1 in docker-compose, to restrict access to local networks only.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability exposes a public-facing web UI (port 8080) without authentication due to docker-compose misconfiguration, directly enabling remote exploitation of the application for unauthorized config access and modification.
NVD Description
umatiGateway is software for connecting OPC Unified Architecture servers with an MQTT broker utilizing JSON messages. The user interface may possibly be publicly accessible with umatiGateway's provided docker-compose file. With this access, the configuration can be viewed and altered. Commit…
more
5d81a3412bc0051754a3095d89a06d6d743f2b16 uses `127.0.0.1:8080:8080` to limit access to the local network. For those who are unable to use this proposed patch, a firewall on Port 8080 may block remote access, but the workaround may not be perfect because Docker may also bypass a firewall by its iptable based rules for port forwarding.
Deeper analysisAI
CVE-2025-27615, published on 2025-03-10, affects umatiGateway, an open-source software application designed to connect OPC Unified Architecture (OPC UA) servers with an MQTT broker using JSON messages. The vulnerability stems from the user interface potentially being publicly accessible when umatiGateway is deployed via the provided docker-compose file. This exposure allows unauthorized remote access to view and alter the application's configuration. It carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H) and is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).
Any network-accessible attacker can exploit this vulnerability without privileges or user interaction by directly connecting to the exposed UI on port 8080. Exploitation enables viewing sensitive configuration details and modifying settings, which could compromise the integrity of the gateway's operations (low impact per CVSS) and disrupt availability (high impact), such as by altering connectivity between OPC UA servers and the MQTT broker.
Mitigation is provided in commit 5d81a3412bc0051754a3095d89a06d6d743f2b16, which updates the docker-compose configuration to bind the UI to 127.0.0.1:8080:8080, thereby restricting access to the local network only. For deployments unable to apply this patch immediately, blocking inbound traffic on port 8080 via a firewall is advised as a workaround, though it may not fully prevent access due to Docker's iptables-based port forwarding rules. Further details are documented in the GitHub security advisory GHSA-qf9w-x9qx-2mq7, pull request 101, and related README updates.
Details
- CWE(s)