CVE-2025-41078

High

Published: 12 January 2026

Published

12 January 2026

Modified

29 January 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0004 12.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-41078 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Viafirma Documents. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Directly enforces approved authorizations for access to resources, addressing the core weakness in authorization mechanisms that allows unauthorized data access, user management, and privilege escalation.

AC-6 Least Privilege good match

prevent

Implements least privilege to restrict low-privileged authenticated users from performing high-privilege actions like user creation, modification, deletion, and impersonation.

AC-2 Account Management partial match

prevent

Manages system accounts including creation, modification, and review to ensure privileges align with roles, mitigating risks from unauthorized account operations.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1098 Account Manipulation Persistence

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.

attack.mitre.org →

T1136 Create Account Persistence

Adversaries may create an account to maintain access to victim systems.

attack.mitre.org →

Why these techniques?

Authorization bypass (CWE-863) directly enables privilege escalation via impersonation and unauthorized account creation/modification/deletion.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Weaknesses in the authorization mechanisms of Viafirma Documents v3.7.129 allow an authenticated user without privileges to list and access other user data, use user creation, modification, and deletion features, and escalate privileges by impersonating other users of the application in…

the generation and signing of documents.

Deeper analysisAI

CVE-2025-41078 is a high-severity authorization vulnerability (CVSS 8.1, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) stemming from weaknesses in the authorization mechanisms of Viafirma Documents version 3.7.129, associated with CWE-863 (Incorrect Authorization). It enables an authenticated user lacking appropriate privileges to perform unauthorized actions within the application.

An attacker with low-privilege authenticated access (PR:L) can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows listing and accessing other users' data, creating, modifying, or deleting user accounts, and escalating privileges by impersonating other users during document generation and signing processes, resulting in high confidentiality and integrity impacts.

INCIBE-CERT has issued a notice detailing multiple vulnerabilities in Viafirma products, including CVE-2025-41078, available at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-viafirma-products.