CVE-2025-42605
Published: 23 April 2025
Summary
CVE-2025-42605 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Org (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 30.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
This vulnerability affects Meon Bidding Solutions and stems from improper authorization controls on API endpoints handling initiation, modification, or cancellation operations. The flaw, identified as CWE-639, permits manipulation of parameters within API request bodies.
An authenticated remote attacker can exploit the issue over the network to gain unauthorized access to other user accounts and perform manipulation of associated data. The CVSS 4.0 score of 9.3 reflects the high impact on confidentiality and integrity with low attack complexity and no required user interaction.
The EPSS score rose from a low baseline to a peak of 0.0137, indicating emerging exploitation interest after disclosure. The sole referenced advisory is available from CERT-In under CIVN-2025-0082.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-12240
Vulnerability details
This vulnerability exists in Meon Bidding Solutions due to improper authorization controls on certain API endpoints for the initiation, modification, or cancellation operations. An authenticated remote attacker could exploit this vulnerability by manipulating parameter in the API request body to…
more
gain unauthorized access to other user accounts. Successful exploitation of this vulnerability could allow remote attacker to perform authorized manipulation of data associated with other user accounts.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.