CVE-2025-41077

High

Published: 12 January 2026

Published

12 January 2026

Modified

29 January 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0003 10.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-41077 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Viafirma Inbox. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Account Discovery (T1087); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Account Discovery (T1087) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved authorizations for access to system resources, directly preventing low-privilege authenticated users from listing, accessing, or modifying other users' data in this IDOR vulnerability.

AC-6 Least Privilege partial match

prevent

AC-6 enforces least privilege, limiting low-privilege users' ability to perform unauthorized actions like modifying email addresses of other users.

SI-10 Information Input Validation partial match

prevent

SI-10 validates information inputs to block unauthorized direct object references that enable access and modification of other users' data.

MITRE ATT&CK Enterprise TechniquesAI

T1087 Account Discovery Discovery

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment.

attack.mitre.org →

T1098 Account Manipulation Persistence

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.

attack.mitre.org →

T1078 Valid Accounts Stealth

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

Why these techniques?

IDOR enables account discovery (listing users), account manipulation (email modification), and valid account takeover via password recovery.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

IDOR vulnerability has been found in Viafirma Inbox v4.5.13 that allows any authenticated user without privileges in the application to list all users, access and modify their data. This allows the user's email addresses to be modified and, subsequently, using…

the password recovery functionality to access the application by impersonating any user, including those with administrative permissions.

Deeper analysisAI

CVE-2025-41077 is an Insecure Direct Object Reference (IDOR) vulnerability, mapped to CWE-639, affecting Viafirma Inbox version 4.5.13. The flaw allows any authenticated user without application privileges to list all users, access their data, and modify it, including critical fields like email addresses. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to network accessibility, low complexity, and significant impacts on confidentiality and integrity.

An attacker requires only low-privilege authentication (PR:L) to exploit this remotely over the network with no user interaction needed. Successful exploitation enables listing and altering any user's data, such as changing email addresses. This facilitates account takeover via the password recovery functionality, allowing impersonation of any target user, including those with administrative permissions.

Mitigation guidance is available in the INCIBE-CERT advisory detailing multiple vulnerabilities in Viafirma products, accessible at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-viafirma-products.