Cyber Resilience

CVE-2025-41715

Critical

Published: 24 September 2025

Published
24 September 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0013 32.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-41715 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Certvde (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and IA-8 (Identification and Authentication (Non-organizational Users)).

Deeper analysis

CVE-2025-41715 is a critical vulnerability in a web application where its database is exposed without authentication. This flaw, associated with CWE-306 (Missing Authentication for Critical Function), enables unauthorized access to the database component. Published on 2025-09-24 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it poses a severe risk due to its high impact on confidentiality, integrity, and availability.

An unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required. Exploitation allows the attacker to gain unauthorized access to the database, potentially leading to its full compromise, including data exfiltration, modification, or disruption.

Mitigation guidance is available in the advisory published by CERT VDE at https://certvde.com/de/advisories/VDE-2025-087.

EU & UK References

Vulnerability details

The database for the web application is exposed without authentication, allowing an unauthenticated remote attacker to gain unauthorized access and potentially compromise it.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authentication on exposed database in web app directly enables remote exploitation of public-facing application (T1190) for data access/compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21515Shared CWE-306
CVE-2025-57432Shared CWE-306
CVE-2026-27446Shared CWE-306
CVE-2026-21446Shared CWE-306
CVE-2021-47891Shared CWE-306
CVE-2026-24790Shared CWE-306
CVE-2025-21524Shared CWE-306
CVE-2025-53072Shared CWE-306
CVE-2025-40771Shared CWE-306
CVE-2026-1023Shared CWE-306

Affected Assets

Certvde
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 requires identification and documentation of specific actions permitted without identification or authentication, directly preventing unauthorized access to critical functions like the exposed database.

prevent

IA-8 mandates identification and authentication of non-organizational users before allowing system access, blocking unauthenticated remote attackers from compromising the database.

prevent

SC-14 enforces protections for public access by controlling external connections and disabling unnecessary interfaces, mitigating the network exposure of the unauthenticated database.

References