CVE-2025-46408
Published: 15 September 2025
Summary
CVE-2025-46408 is a critical-severity Improper Validation of Certificate with Host Mismatch (CWE-297) vulnerability in Avtech Eagleeyes\(Lite\). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 14.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-29188
Vulnerability details
An issue was discovered in the methods push.lite.avtech.com.AvtechLib.GetHttpsResponse and push.lite.avtech.com.Push_HttpService.getNewHttpClient in AVTECH EagleEyes 2.0.0. The methods set ALLOW_ALL_HOSTNAME_VERIFIER, bypassing domain validation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper hostname verification in HTTPS connections bypasses TLS certificate validation, enabling adversaries to perform man-in-the-middle (MITM) attacks by impersonating the legitimate server (T1557).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Approved PKI issuance and trust stores enforce full certificate validation steps including name/hostname checks.