Cyber Resilience

CVE-2025-42605

Critical

Published: 23 April 2025

Published
23 April 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0059 69.7th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-42605 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Org (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, ranked in the top 30.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

This vulnerability affects Meon Bidding Solutions and stems from improper authorization controls on API endpoints handling initiation, modification, or cancellation operations. The flaw, identified as CWE-639, permits manipulation of parameters within API request bodies.

An authenticated remote attacker can exploit the issue over the network to gain unauthorized access to other user accounts and perform manipulation of associated data. The CVSS 4.0 score of 9.3 reflects the high impact on confidentiality and integrity with low attack complexity and no required user interaction.

The EPSS score rose from a low baseline to a peak of 0.0137, indicating emerging exploitation interest after disclosure. The sole referenced advisory is available from CERT-In under CIVN-2025-0082.

EU & UK References

Vulnerability details

This vulnerability exists in Meon Bidding Solutions due to improper authorization controls on certain API endpoints for the initiation, modification, or cancellation operations. An authenticated remote attacker could exploit this vulnerability by manipulating parameter in the API request body to…

more

gain unauthorized access to other user accounts. Successful exploitation of this vulnerability could allow remote attacker to perform authorized manipulation of data associated with other user accounts.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Org
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-639

Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process.

addresses: CWE-639

Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.

References