CVE-2025-27822
Published: 07 March 2025
Summary
CVE-2025-27822 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Backdropcms (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 42.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations, directly addressing the failure to honor the 'Masquerade as admin' permission and preventing unauthorized impersonation of administrative accounts.
Implements least privilege to restrict 'Masquerade as user' permission to only necessary roles, blocking the prerequisite for exploiting the authorization bypass.
Requires timely identification, reporting, and remediation of flaws like this Masquerade module vulnerability via patching to version 1.x-1.0.1 or later.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows bypassing the 'Masquerade as admin' permission check, enabling low-privileged users to impersonate administrators and gain elevated access, which directly maps to exploitation for privilege escalation.
NVD Description
An issue was discovered in the Masquerade module before 1.x-1.0.1 for Backdrop CMS. It allows people to temporarily switch to another user account. The module provides a "Masquerade as admin" permission to restrict people (who can masquerade) from switching to…
more
an account with administrative privileges. This permission is not always honored and may allow non-administrative users to masquerade as an administrator. This vulnerability is mitigated by the fact that an attacker must have a role with the "Masquerade as user" permission.
Deeper analysisAI
CVE-2025-27822 is a vulnerability in the Masquerade module for Backdrop CMS, affecting versions prior to 1.x-1.0.1. The issue stems from the module's failure to properly honor the "Masquerade as admin" permission, which is intended to prevent non-administrative users from switching to accounts with administrative privileges. This allows authorized users to temporarily impersonate other accounts, including administrators, and is classified as CWE-863 (Incorrect Authorization) with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker must possess a role with the "Masquerade as user" permission to exploit this flaw, requiring low privileges (PR:L). The attack is feasible over the network (AV:N) without user interaction (UI:N), though it demands high attack complexity (AC:H). Successful exploitation enables the attacker to masquerade as an administrator, granting temporary access to elevated privileges and potentially compromising confidentiality, integrity, and availability at a high level (C:H/I:H/A:H).
The Backdrop CMS security advisory (backdrop-sa-contrib-2025-006) at https://backdropcms.org/security/backdrop-sa-contrib-2025-006 addresses this vulnerability, noting that updating to Masquerade module version 1.x-1.0.1 or later resolves the issue. The advisory highlights the prerequisite of the "Masquerade as user" permission as a partial mitigator.
Details
- CWE(s)