CVE-2025-46658

Critical

Published: 05 August 2025

Published

05 August 2025

Modified

02 October 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 28.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-46658 is a critical-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in 4Cstrategies Exonaut. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-11 Error Handling good match

prevent

SI-11 requires the system to handle errors and exceptions without an indication of whether an error occurred or disclosing sensitive information, directly preventing verbose error message exposures.

SI-15 Information Output Filtering good match

prevent

SI-15 mandates filtering information prior to output to external destinations, preventing sensitive data leakage through verbose error messages in web responses.

AU-13 Monitoring for Information Disclosure partial match

detect

AU-13 provides monitoring for information disclosure events, enabling detection of sensitive information leaks from exploitation of verbose error messages.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The unauthenticated network-accessible verbose error disclosure in a public-facing web component directly enables exploitation of the application (T1190), with the leaked sensitive data facilitating follow-on compromise.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue was discovered in ExonautWeb in 4C Strategies Exonaut 21.6. There are verbose error messages.

Deeper analysisAI

CVE-2025-46658 is a vulnerability discovered in the ExonautWeb component of 4C Strategies Exonaut version 21.6, where verbose error messages are exposed. This issue falls under CWE-209 (Generation of Error Message Containing Sensitive Information) and has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high impacts across confidentiality, integrity, and availability.

The vulnerability can be exploited by unauthenticated attackers over the network with low attack complexity and no user interaction required. Successful exploitation allows attackers to obtain sensitive information from the verbose error messages, potentially enabling further compromise that achieves high-level impacts on confidentiality, integrity, and availability as scored by CVSS.

For mitigation details, security practitioners should consult the provided references, including a GitHub gist at https://gist.github.com/Jowu73/005ca4f85b27fb272a4e62e373341fa5 and the vendor's Exonaut product page at https://www.4cstrategies.com/solutions/exonaut/. No specific patch or advisory information is detailed in the CVE publication from August 5, 2025.