CVE-2025-47226
Published: 02 May 2025
Summary
CVE-2025-47226 is a medium-severity Forced Browsing (CWE-425) vulnerability in Snipeitapp Snipe-It. Its CVSS base score is 5.0 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-13304
Vulnerability details
Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR vulnerability (CVE-2025-47226) in public-facing Snipe-IT enables exploitation for initial access (T1190) and unauthorized collection of asset information from the application's repository (T1213).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process.
Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.
Forces all accesses through the reference monitor, preventing direct or forced requests that bypass checks.
Displaying the notification before further access on public systems prevents direct resource requests from bypassing the required system use terms and consent.
Decoy endpoints catch forced browsing and direct requests, deflecting attackers from legitimate resources while enabling analysis.
Blocks unauthorized direct requests or forced browsing by denying input access to non-authorized actors.