CVE-2025-48999
Published: 03 June 2025
Summary
CVE-2025-48999 is a medium-severity Improper Access Control (CWE-284) vulnerability in Dataease Dataease. Its CVSS base score is 6.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-16790
Vulnerability details
DataEase is an open source business intelligence and data visualization tool. A bypass of CVE-2025-46566's patch exists in versions prior to 2.10.10. In a malicious payload, `getUrlType()` retrieves `hostName`. Since the judgment statement returns false, it will not enter the…
more
if statement and will not be filtered. The payload can be directly concatenated at the replace location to construct a malicious JDBC statement. Version 2.10.10 contains a patch for the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-48999 is a patch bypass leading to RCE in DataEase via unverified JDBC connection parameters for Redshift data sources, exploiting the web application to load and execute remote malicious Spring XML payloads.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring authorization of wireless access before allowing connections enforces proper access control for this access method.
Requiring formal approval, documented controls, and responsibilities for inter-system exchanges directly enforces proper access control between systems.
Enforces physical-layer access control on transmission resources, reducing the ability to reach or manipulate them outside intended boundaries.
Requiring external providers to implement and be monitored against organizational access-control requirements directly reduces the likelihood of improper access control across trust boundaries.
Authorizing and controlling VoIP use directly enforces access control decisions over a distinct communication technology.
Role separation implements access control boundaries between internal and external name resolution services.
Disabling or removing ports and I/O devices directly enforces hardware-level access control by eliminating entry points.
Cross-domain policy enforcement implements mandatory access control at domain boundaries, directly preventing unauthorized interactions across security domains.