Cyber Resilience

CVE-2025-27910

HighPublic PoC

Published: 10 March 2025

Published
10 March 2025
Modified
21 May 2025
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27910 is a high-severity CSRF (CWE-352) vulnerability in Tianti Project Tianti. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-27910, published on 2025-03-10, is a Cross-Site Request Forgery (CSRF) vulnerability (CWE-352) in tianti version 2.3, specifically affecting the /user/ajax/upd/status component. The issue enables attackers to execute arbitrary operations via a crafted GET or POST request. It carries a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low complexity, and potential for significant impacts on confidentiality, integrity, and availability.

Exploitation targets authenticated users with low privileges who can be socially engineered into performing an action, such as clicking a malicious link or submitting a forged form that triggers the vulnerable endpoint. An attacker does not need direct access but relies on user interaction to forge requests on the victim's behalf, allowing arbitrary operations that could compromise the victim's account or system resources.

Mitigation details are available in the referenced advisory at https://github.com/xujeff/tianti/issues/39.

EU & UK References

Vulnerability details

tianti v2.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /user/ajax/upd/status. This vulnerability allows attackers to execute arbitrary operations via a crafted GET or POST request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
T1136 Create Account Persistence
Adversaries may create an account to maintain access to victim systems.
Why these techniques?

CSRF vulnerability in user management endpoints (/user/ajax/save, /user/ajax/upd/status) enables exploitation of the web application to perform unauthorized add, edit, delete, and restore operations on accounts, including creating administrator accounts, facilitating account manipulation and creation.

CVEs Like This One

CVE-2025-25907Same product: Tianti Project Tianti
CVE-2025-68434Shared CWE-352
CVE-2025-1687Shared CWE-352
CVE-2018-25200Shared CWE-352
CVE-2026-24885Shared CWE-352
CVE-2024-56901Shared CWE-352
CVE-2024-55076Shared CWE-352
CVE-2026-22194Shared CWE-352
CVE-2026-33649Shared CWE-352
CVE-2024-13852Shared CWE-352

Affected Assets

tianti project
tianti
2.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 requires protections for communications session authenticity, directly preventing CSRF attacks by ensuring forged requests to /user/ajax/upd/status are rejected.

prevent

SI-10 mandates validation of information inputs, enabling verification of anti-CSRF tokens or origin headers in crafted GET/POST requests to block unauthorized operations.

prevent

SI-2 ensures timely identification, reporting, and remediation of flaws like the CSRF vulnerability in tianti v2.3's /user/ajax/upd/status component.

References