CVE-2025-45968
Published: 25 August 2025
Summary
CVE-2025-45968 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in System Pdv Project System Pdv. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-16 (Security and Privacy Attributes) and AC-24 (Access Control Decisions).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to information and system resources, directly addressing the lack of authorization checks on the hash parameter that enables IDOR exploitation.
Requires authorization decisions for access to system resources like user data referenced by URL hash parameters, preventing unauthorized direct object access.
Implements security attributes on objects (e.g., owner identifiers) to validate and enforce access rights when objects are referenced via manipulated hash parameters.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR in a public-facing web app directly enables remote exploitation (T1190) and unauthorized retrieval of sensitive local/system data (T1005).
NVD Description
An issue in System PDV v1.0 allows a remote attacker to obtain sensitive information via the hash parameter in a URL. The application contains an Insecure Direct Object Reference (IDOR) vulnerability, which occurs due to a lack of proper authorization…
more
checks when accessing objects referenced by this parameter. This allows direct access to other users' data or internal resources without proper permission. Successful exploitation of this flaw may result in the exposure of sensitive information.
Deeper analysisAI
CVE-2025-45968 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting System PDV version 1.0. The flaw arises from inadequate authorization checks on the hash parameter in URLs, enabling unauthorized access to objects. This allows a remote attacker to obtain sensitive information by manipulating the parameter to reference other users' data or internal resources. The vulnerability received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and high impacts on confidentiality, integrity, and availability.
A remote attacker requires no privileges or user interaction to exploit this vulnerability over the network. By crafting a malicious URL with a modified hash parameter, the attacker can directly access and retrieve sensitive data belonging to other users or protected internal resources. Successful exploitation results in the exposure of sensitive information, with potential for broader impacts aligned to the high CVSS scores in confidentiality, integrity, and availability.
For details on mitigation, refer to the advisory at https://medium.com/@r3dd1t/pedindo-um-lanche-e-possivelemnte-descobrindo-uma-cve-9930b0114e3f, published alongside the CVE on 2025-08-25.
Details
- CWE(s)