CVE-2025-29315
Published: 24 March 2025
Summary
CVE-2025-29315 is a critical-severity Improper Access Control (CWE-284) vulnerability in Csdn (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-29315 is a critical vulnerability (CVSS score 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in the Shiro-based Role-based Access Control (RBAC) mechanism of the OpenDaylight Service Function Chaining (SFC) Subproject. It affects SFC Sodium-SR4 and earlier versions and is classified under CWE-284 (Improper Access Control). The issue allows attackers to execute privileged operations via a crafted request.
The vulnerability can be exploited remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation enables attackers to perform privileged operations, resulting in high impacts to confidentiality, integrity, and availability on affected OpenDaylight SFC deployments.
References to the vulnerability include blog posts at https://blog.csdn.net/weixin_43959580/article/details/144794289, which provide further details on the issue. Specific mitigation or patch information is not detailed in the CVE description.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8016
Vulnerability details
An issue in the Shiro-based RBAC (Role-based Access Control) mechanism of OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allows attackers to execute privileged operations via a crafted request.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote unauthenticated improper access control flaw in a public-facing application (OpenDaylight SFC) that allows execution of privileged operations, directly enabling T1190 (Exploit Public-Facing Application) for initial access and T1068 (Exploitation for Privilege Escalation) to perform high-privilege actions.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to system resources, directly preventing unauthorized privileged operations via crafted requests in the flawed Shiro RBAC mechanism.
Implements a tamper-resistant reference monitor to enforce access control policies, mitigating the improper RBAC enforcement in OpenDaylight SFC.
Applies least privilege to restrict the scope of operations even if the RBAC bypass occurs, limiting damage from privileged execution.