Cyber Resilience

CVE-2025-45968

CriticalPublic PoC

Published: 25 August 2025

Published
25 August 2025
Modified
21 October 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0041 62.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-45968 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in System Pdv Project System Pdv. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-16 (Security and Privacy Attributes) and AC-24 (Access Control Decisions).

Deeper analysis

CVE-2025-45968 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting System PDV version 1.0. The flaw arises from inadequate authorization checks on the hash parameter in URLs, enabling unauthorized access to objects. This allows a remote attacker to obtain sensitive information by manipulating the parameter to reference other users' data or internal resources. The vulnerability received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and high impacts on confidentiality, integrity, and availability.

A remote attacker requires no privileges or user interaction to exploit this vulnerability over the network. By crafting a malicious URL with a modified hash parameter, the attacker can directly access and retrieve sensitive data belonging to other users or protected internal resources. Successful exploitation results in the exposure of sensitive information, with potential for broader impacts aligned to the high CVSS scores in confidentiality, integrity, and availability.

For details on mitigation, refer to the advisory at https://medium.com/@r3dd1t/pedindo-um-lanche-e-possivelemnte-descobrindo-uma-cve-9930b0114e3f, published alongside the CVE on 2025-08-25.

EU & UK References

Vulnerability details

An issue in System PDV v1.0 allows a remote attacker to obtain sensitive information via the hash parameter in a URL. The application contains an Insecure Direct Object Reference (IDOR) vulnerability, which occurs due to a lack of proper authorization…

more

checks when accessing objects referenced by this parameter. This allows direct access to other users' data or internal resources without proper permission. Successful exploitation of this flaw may result in the exposure of sensitive information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

IDOR in a public-facing web app directly enables remote exploitation (T1190) and unauthorized retrieval of sensitive local/system data (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22235Shared CWE-639
CVE-2026-22589Shared CWE-639
CVE-2026-24773Shared CWE-639
CVE-2025-26977Shared CWE-639
CVE-2024-50693Shared CWE-639
CVE-2025-69394Shared CWE-639
CVE-2026-41471Shared CWE-639
CVE-2025-58402Shared CWE-639
CVE-2025-68051Shared CWE-639
CVE-2026-4503Shared CWE-639

Affected Assets

system pdv project
system pdv
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to information and system resources, directly addressing the lack of authorization checks on the hash parameter that enables IDOR exploitation.

prevent

Requires authorization decisions for access to system resources like user data referenced by URL hash parameters, preventing unauthorized direct object access.

prevent

Implements security attributes on objects (e.g., owner identifiers) to validate and enforce access rights when objects are referenced via manipulated hash parameters.

References