Cyber Resilience

CVE-2025-29315

Critical

Published: 24 March 2025

Published
24 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0022 44.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-29315 is a critical-severity Improper Access Control (CWE-284) vulnerability in Csdn (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-29315 is a critical vulnerability (CVSS score 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in the Shiro-based Role-based Access Control (RBAC) mechanism of the OpenDaylight Service Function Chaining (SFC) Subproject. It affects SFC Sodium-SR4 and earlier versions and is classified under CWE-284 (Improper Access Control). The issue allows attackers to execute privileged operations via a crafted request.

The vulnerability can be exploited remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation enables attackers to perform privileged operations, resulting in high impacts to confidentiality, integrity, and availability on affected OpenDaylight SFC deployments.

References to the vulnerability include blog posts at https://blog.csdn.net/weixin_43959580/article/details/144794289, which provide further details on the issue. Specific mitigation or patch information is not detailed in the CVE description.

EU & UK References

Vulnerability details

An issue in the Shiro-based RBAC (Role-based Access Control) mechanism of OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allows attackers to execute privileged operations via a crafted request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability is a remote unauthenticated improper access control flaw in a public-facing application (OpenDaylight SFC) that allows execution of privileged operations, directly enabling T1190 (Exploit Public-Facing Application) for initial access and T1068 (Exploitation for Privilege Escalation) to perform high-privilege actions.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-55261Shared CWE-284
CVE-2026-21636Shared CWE-284
CVE-2025-57130Shared CWE-284
CVE-2024-53348Shared CWE-284
CVE-2025-20229Shared CWE-284
CVE-2026-24300Shared CWE-284
CVE-2026-20750Shared CWE-284
CVE-2025-2280Shared CWE-284
CVE-2025-70064Shared CWE-284
CVE-2024-44313Shared CWE-284

Affected Assets

Csdn
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly preventing unauthorized privileged operations via crafted requests in the flawed Shiro RBAC mechanism.

prevent

Implements a tamper-resistant reference monitor to enforce access control policies, mitigating the improper RBAC enforcement in OpenDaylight SFC.

prevent

Applies least privilege to restrict the scope of operations even if the RBAC bypass occurs, limiting damage from privileged execution.

References