Cyber Resilience

CVE-2025-48999

MediumPublic PoC

Published: 03 June 2025

Published
03 June 2025
Modified
05 June 2025
KEV Added
Patch
CVSS Score v4 6.8 CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0020 41.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-48999 is a medium-severity Improper Access Control (CWE-284) vulnerability in Dataease Dataease. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

DataEase is an open source business intelligence and data visualization tool. A bypass of CVE-2025-46566's patch exists in versions prior to 2.10.10. In a malicious payload, `getUrlType()` retrieves `hostName`. Since the judgment statement returns false, it will not enter the…

more

if statement and will not be filtered. The payload can be directly concatenated at the replace location to construct a malicious JDBC statement. Version 2.10.10 contains a patch for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2025-48999 is a patch bypass leading to RCE in DataEase via unverified JDBC connection parameters for Redshift data sources, exploiting the web application to load and execute remote malicious Spring XML payloads.

Affected Assets

dataease
dataease
≤ 2.10.10

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-284 CWE-923

Requiring authorization of wireless access before allowing connections enforces proper access control for this access method.

addresses: CWE-284 CWE-923

Requiring formal approval, documented controls, and responsibilities for inter-system exchanges directly enforces proper access control between systems.

addresses: CWE-284 CWE-923

Enforces physical-layer access control on transmission resources, reducing the ability to reach or manipulate them outside intended boundaries.

addresses: CWE-284 CWE-923

Requiring external providers to implement and be monitored against organizational access-control requirements directly reduces the likelihood of improper access control across trust boundaries.

addresses: CWE-284 CWE-923

Authorizing and controlling VoIP use directly enforces access control decisions over a distinct communication technology.

addresses: CWE-284 CWE-923

Role separation implements access control boundaries between internal and external name resolution services.

addresses: CWE-284 CWE-923

Disabling or removing ports and I/O devices directly enforces hardware-level access control by eliminating entry points.

addresses: CWE-284 CWE-923

Cross-domain policy enforcement implements mandatory access control at domain boundaries, directly preventing unauthorized interactions across security domains.

References