CVE-2025-2859

Critical

Published: 28 March 2025

Published

28 March 2025

Modified

10 October 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0034 56.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2859 is a critical-severity Improper Authentication (CWE-287) vulnerability in Arteche Satech Bcu Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked in the top 43.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SC-8 (Transmission Confidentiality and Integrity).

Threat & Defense at a Glance

What attackers do: exploitation maps to Network Sniffing (T1040) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-8 Transmission Confidentiality and Integrity good match

prevent

Protects the confidentiality and integrity of transmitted information, directly preventing attackers from capturing unencrypted user cookies over the network.

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, and timely remediation of security flaws like CVE-2025-2859 in the Arteches Satech BCU device.

SC-23 Session Authenticity good match

prevent

Ensures authenticity of communications sessions, mitigating unauthorized use of stolen session cookies for device changes.

MITRE ATT&CK Enterprise TechniquesAI

T1040 Network Sniffing Credential Access

Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

T1550.004 Web Session Cookie Lateral Movement

Adversaries can use stolen session cookies to authenticate to web applications and services.

attack.mitre.org →

Why these techniques?

Vulnerability enables capture of unencrypted session cookies from network traffic for session hijacking, mapping directly to network sniffing for credential capture, stealing web session cookies, and using stolen cookies as alternate authentication material.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An attacker with network access, could capture traffic and obtain user cookies, allowing the attacker to steal the active user session and make changes to the device via web, depending on the privileges obtained by the user.

Deeper analysisAI

CVE-2025-2859 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) classified under CWE-287 (Improper Authentication), published on 2025-03-28. It affects the Arteches Satech BCU device, where an attacker with network access can capture traffic to obtain user cookies. This enables session hijacking, allowing unauthorized access to the active user session.

An unauthenticated attacker (PR:N) on the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N) required can exploit this by intercepting unencrypted traffic. Successful exploitation grants the attacker the stolen session's privileges, enabling changes to the device via its web interface, with impacts including high confidentiality, integrity, and availability compromise (C:H/I:H/A:H).

The INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-arteches-satech-bcu provides details on this and related vulnerabilities in Arteches Satech BCU, including recommended mitigations such as applying patches or network segmentation where feasible.