Cyber Resilience

CVE-2025-2859

Medium

Published: 28 March 2025

Published
28 March 2025
Modified
10 October 2025
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0034 57.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2859 is a medium-severity Improper Authentication (CWE-287) vulnerability in Arteche Satech Bcu Firmware. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked in the top 43.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SC-8 (Transmission Confidentiality and Integrity).

Deeper analysis

CVE-2025-2859 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) classified under CWE-287 (Improper Authentication), published on 2025-03-28. It affects the Arteches Satech BCU device, where an attacker with network access can capture traffic to obtain user cookies. This enables session hijacking, allowing unauthorized access to the active user session.

An unauthenticated attacker (PR:N) on the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N) required can exploit this by intercepting unencrypted traffic. Successful exploitation grants the attacker the stolen session's privileges, enabling changes to the device via its web interface, with impacts including high confidentiality, integrity, and availability compromise (C:H/I:H/A:H).

The INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-arteches-satech-bcu provides details on this and related vulnerabilities in Arteches Satech BCU, including recommended mitigations such as applying patches or network segmentation where feasible.

EU & UK References

Vulnerability details

An attacker with network access, could capture traffic and obtain user cookies, allowing the attacker to steal the active user session and make changes to the device via web, depending on the privileges obtained by the user.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1040 Network Sniffing Credential Access
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
Why these techniques?

Vulnerability enables capture of unencrypted session cookies from network traffic for session hijacking, mapping directly to network sniffing for credential capture, stealing web session cookies, and using stolen cookies as alternate authentication material.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2861Same product: Arteche Satech Bcu
CVE-2025-2858Same product: Arteche Satech Bcu
CVE-2025-2862Same product: Arteche Satech Bcu
CVE-2025-2863Same product: Arteche Satech Bcu
CVE-2025-1723Shared CWE-287
CVE-2024-11322Shared CWE-287
CVE-2025-71279Shared CWE-287
CVE-2024-13804Shared CWE-287
CVE-2025-56752Shared CWE-287
CVE-2024-57046Shared CWE-287

Affected Assets

arteche
satech bcu firmware
2.1.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Protects the confidentiality and integrity of transmitted information, directly preventing attackers from capturing unencrypted user cookies over the network.

prevent

Requires identification, reporting, and timely remediation of security flaws like CVE-2025-2859 in the Arteches Satech BCU device.

prevent

Ensures authenticity of communications sessions, mitigating unauthorized use of stolen session cookies for device changes.

References