CVE-2025-45777
Published: 25 July 2025
Summary
CVE-2025-45777 is a critical-severity Improper Authentication (CWE-287) vulnerability in Abeltechsoft Chavara Matrimony. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and IA-8 (Identification and Authentication (Non-organizational Users)).
Deeper analysis
CVE-2025-45777, published on 2025-07-25, is a critical authentication bypass vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting the OTP mechanism in Chavara Family Welfare Centre Chavara Matrimony Site v2.0. The flaw, tied to CWE-287 (Improper Authentication), enables attackers to circumvent authentication controls by submitting a crafted request.
Remote attackers require no privileges, user interaction, or special conditions beyond network access to exploit this issue with low complexity. Successful exploitation results in high impacts across confidentiality, integrity, and availability, allowing unauthorized access to authenticated functionality on the matrimony site.
Advisories and related resources are available at https://github.com/edwin-0990/CVE_ID/tree/main/CVE-2025-45777, which likely contains proof-of-concept details, and https://www.chavaramatrimony.com/register-free, the affected site's registration endpoint. No specific patch or mitigation steps are outlined in the CVE description.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22654
Vulnerability details
An issue in the OTP mechanism of Chavara Family Welfare Centre Chavara Matrimony Site v2.0 allows attackers to bypass authentication via supplying a crafted request.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an authentication bypass vulnerability in a public-facing web application (matrimony site) via crafted OTP requests, enabling exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
IA-5 requires proper management, protection, and verification of authenticators like OTPs, directly preventing bypasses in the OTP mechanism.
IA-8 mandates identification and authentication for non-organizational users accessing public sites, comprehensively addressing the authentication bypass vulnerability.
SI-10 enforces validation of all inputs, blocking crafted requests that circumvent the OTP authentication process.