CVE-2025-50433
Published: 26 November 2025
Summary
CVE-2025-50433 is a critical-severity Weak Password Recovery Mechanism for Forgotten Password (CWE-640) vulnerability in Monnit Imonnit. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 28.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and AC-2 (Account Management).
Deeper analysis
CVE-2025-50433, published on 2025-11-26, is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting the imonnit.com web application, discovered on 2025-04-24. Classified under CWE-640 (weak password recovery mechanism for forgotten passwords), it enables malicious actors to gain escalated privileges through a crafted password reset process, resulting in the takeover of arbitrary user accounts.
The vulnerability is exploitable by unauthenticated attackers over the network with low attack complexity and no user interaction required. Successful exploitation allows attackers to achieve high-impact compromise of confidentiality, integrity, and availability, specifically by seizing control of any targeted user account on the platform.
Advisories providing further details on the issue, including potential mitigations and patches, are referenced at http://imonnitcom.com, http://monnit.com, https://github.com/0xMandor/imonnit-ato-advisory/blob/main/CVE-2025-50433.md, and https://youtu.be/-BqcdwHgMMA. Security practitioners should review these sources for vendor-recommended remediation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-199755
Vulnerability details
An issue was discovered in imonnit.com (2025-04-24) allowing malicious actors to gain escalated privileges via crafted password reset to take over arbitrary user accounts.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing web application (imonnit.com) enables exploitation for account takeover via crafted password reset, facilitating privilege escalation and compromise/use of valid cloud accounts.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
IA-5 mandates secure management and resetting of authenticators, directly addressing weak password recovery mechanisms that enable arbitrary account takeovers.
AC-2 establishes processes for account creation, modification, and review, helping to secure password reset workflows and prevent unauthorized privilege escalation.
SI-10 requires validation of information inputs, mitigating crafted requests in the password reset process that lead to account compromise.