CVE-2025-29314

High

Published: 24 March 2025

Published

24 March 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0009 25.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-29314 is a high-severity Missing Encryption of Sensitive Data (CWE-311) vulnerability in Csdn (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 25.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SC-23 (Session Authenticity).

Threat & Defense at a Glance

What attackers do: exploitation maps to Adversary-in-the-Middle (T1557) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

Directly protects session authenticity from man-in-the-middle attacks, countering the insecure Shiro cookie vulnerability exploited via network interception.

SC-8 Transmission Confidentiality and Integrity good match

prevent

Mandates confidentiality and integrity protection for transmitted information, preventing MITM access to sensitive data in unencrypted Shiro cookies.

SC-13 Cryptographic Protection good match

prevent

Requires cryptographic mechanisms to protect sensitive information during transmission, directly addressing CWE-311 missing encryption in Shiro cookies.

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

Why these techniques?

Insecure Shiro cookie configurations with missing encryption (CWE-311) directly enable MITM attacks to intercept sensitive data, facilitating Adversary-in-the-Middle (T1557) and Steal Web Session Cookie (T1539).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

NVD Description

Insecure Shiro cookie configurations in OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allow attackers to access sensitive information via a man-in-the-middle attack.

Deeper analysisAI

CVE-2025-29314 is a vulnerability stemming from insecure Shiro cookie configurations in the OpenDaylight Service Function Chaining (SFC) Subproject, specifically affecting versions Sodium-SR4 and below. This flaw, associated with CWE-311 (Missing Encryption of Sensitive Data), enables attackers to access sensitive information through a man-in-the-middle (MITM) attack. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts over a network.

Attackers can exploit this vulnerability by positioning themselves between the victim and the OpenDaylight SFC service, requiring no user privileges or interaction but necessitating high attack complexity, such as compromising network traffic interception. Successful exploitation allows remote attackers to access sensitive information, potentially leading to high-level compromise of confidentiality, integrity, and availability of the affected service.

References to the vulnerability include blog posts on CSDN, but no specific details on advisories or patches are available in the provided information.