Cyber Resilience

CVE-2025-52689

Critical

Published: 16 July 2025

Published
16 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0157 81.9th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-52689 is a critical-severity Session Fixation (CWE-384) vulnerability in Uhg (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and AC-10 (Concurrent Session Control).

Deeper analysis

CVE-2025-52689 is a session fixation vulnerability, tracked under CWE-384, that affects Alcatel-Lucent OmniAccess Stellar wireless access points. The flaw permits an unauthenticated remote attacker to spoof a login request and obtain a valid administrator session identifier, which can then be used to alter access-point behavior. It carries a CVSS 3.1 base score of 9.8 reflecting network attack vector, low complexity, and no required credentials or user interaction.

An attacker positioned on the network can exploit the issue without authentication to hijack an administrative session and reconfigure the affected access point. Successful exploitation grants full control over device settings and potentially connected clients.

Public advisories from Alcatel-Lucent Enterprise and the Singapore CSA, along with a technical analysis and proof-of-concept code, outline mitigation steps including firmware updates and configuration hardening; the referenced vendor bulletin SA-N0150 specifically addresses this and related issues in the OmniAccess Stellar product line.

EPSS for the CVE has remained flat at 0.0157 since disclosure with no material upward movement.

EU & UK References

Vulnerability details

Successful exploitation of the vulnerability could allow an unauthenticated attacker to obtain a valid session ID with administrator privileges by spoofing the login request, potentially allowing the attacker to modify the behaviour of the access point.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote exploitation of a public-facing web management interface on the access point via session fixation to obtain unauthenticated admin access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-63529Shared CWE-384
CVE-2023-53776Shared CWE-384
CVE-2026-23796Shared CWE-384
CVE-2024-13279Shared CWE-384
CVE-2025-27661Shared CWE-384
CVE-2025-63216Shared CWE-384
CVE-2026-2177Shared CWE-384
CVE-2026-25101Shared CWE-384
CVE-2024-56529Shared CWE-384
CVE-2025-7015Shared CWE-384

Affected Assets

Uhg
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 requires mechanisms to protect the authenticity of communications sessions, directly mitigating session fixation by preventing attackers from spoofing login requests to obtain valid administrator session IDs.

prevent

AC-12 enforces session termination after defined conditions such as inactivity, limiting the exploitation window for any fixed or spoofed administrator sessions obtained via the vulnerability.

prevent

AC-10 limits concurrent sessions per account, preventing attackers from using a spoofed administrator session simultaneously with legitimate sessions on the access point.

References