Cyber Resilience

CVE-2025-46566

MediumPublic PoC

Published: 01 May 2025

Published
01 May 2025
Modified
28 May 2025
KEV Added
Patch
CVSS Score v4 6.8 CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0039 60.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-46566 is a medium-severity Improper Access Control (CWE-284) vulnerability in Dataease Dataease. Its CVSS base score is 6.8 (Medium).

Operationally, ranked in the top 39.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

DataEase is an open-source BI tool alternative to Tableau. Prior to version 2.10.9, authenticated users can complete RCE through the backend JDBC link. This issue has been patched in version 2.10.9.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dataease
dataease
≤ 2.10.9

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-284 CWE-923

Requiring authorization of wireless access before allowing connections enforces proper access control for this access method.

addresses: CWE-284 CWE-923

Requiring formal approval, documented controls, and responsibilities for inter-system exchanges directly enforces proper access control between systems.

addresses: CWE-284 CWE-923

Enforces physical-layer access control on transmission resources, reducing the ability to reach or manipulate them outside intended boundaries.

addresses: CWE-284 CWE-923

Requiring external providers to implement and be monitored against organizational access-control requirements directly reduces the likelihood of improper access control across trust boundaries.

addresses: CWE-284 CWE-923

Authorizing and controlling VoIP use directly enforces access control decisions over a distinct communication technology.

addresses: CWE-284 CWE-923

Role separation implements access control boundaries between internal and external name resolution services.

addresses: CWE-284 CWE-923

Disabling or removing ports and I/O devices directly enforces hardware-level access control by eliminating entry points.

addresses: CWE-284 CWE-923

Cross-domain policy enforcement implements mandatory access control at domain boundaries, directly preventing unauthorized interactions across security domains.

References