CVE-2025-30236
Published: 19 March 2025
Summary
CVE-2025-30236 is a high-severity External Control of Assumed-Immutable Web Parameter (CWE-472) vulnerability in Reserge (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires systems to uniquely identify and authenticate organizational users using defined authenticators, directly preventing authentication bypass via only TOTP when a SESSION parameter is present.
Mandates enforcement of approved authorizations for logical access to the system, countering the flawed session handling that skips password checks.
Requires timely identification, reporting, and remediation of software flaws, such as upgrading to SecurEnvoy SecurAccess Enrol 9.4.515 to patch the authentication bypass vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass flaw in a public-facing web application that allows unauthorized access by skipping password and secondary MFA factors via crafted requests, directly enabling T1190 for initial access and facilitating T1556.006 by circumventing multi-factor authentication.
NVD Description
Shearwater SecurEnvoy SecurAccess Enrol before 9.4.515 allows authentication through only a six-digit TOTP code (skipping a password check) if an HTTP POST request contains a SESSION parameter.
Deeper analysisAI
CVE-2025-30236 affects Shearwater SecurEnvoy SecurAccess Enrol versions prior to 9.4.515. The vulnerability enables authentication using only a six-digit Time-based One-Time Password (TOTP) code, bypassing the required password check. This occurs when an HTTP POST request includes a SESSION parameter, allowing flawed session handling that skips secondary authentication factors.
An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N). By crafting an HTTP POST request with a valid SESSION parameter and a correct six-digit TOTP code, the attacker achieves unauthorized authentication, leading to high integrity impact through potential account takeover or unauthorized access to protected resources.
Mitigation is addressed in the release notes for SecurEnvoy SecurAccess Enrol version 9.4.515, available from the vendor. Security practitioners should upgrade to this version or later to patch the issue. Additional technical details on the vulnerability, including probabilistic exploitation aspects, are documented in the referenced analysis at reserge.org.
Details
- CWE(s)