CVE-2025-52689
Published: 16 July 2025
Summary
CVE-2025-52689 is a critical-severity Session Fixation (CWE-384) vulnerability in Uhg (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and AC-10 (Concurrent Session Control).
Deeper analysis
CVE-2025-52689 is a session fixation vulnerability, tracked under CWE-384, that affects Alcatel-Lucent OmniAccess Stellar wireless access points. The flaw permits an unauthenticated remote attacker to spoof a login request and obtain a valid administrator session identifier, which can then be used to alter access-point behavior. It carries a CVSS 3.1 base score of 9.8 reflecting network attack vector, low complexity, and no required credentials or user interaction.
An attacker positioned on the network can exploit the issue without authentication to hijack an administrative session and reconfigure the affected access point. Successful exploitation grants full control over device settings and potentially connected clients.
Public advisories from Alcatel-Lucent Enterprise and the Singapore CSA, along with a technical analysis and proof-of-concept code, outline mitigation steps including firmware updates and configuration hardening; the referenced vendor bulletin SA-N0150 specifically addresses this and related issues in the OmniAccess Stellar product line.
EPSS for the CVE has remained flat at 0.0157 since disclosure with no material upward movement.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21586
Vulnerability details
Successful exploitation of the vulnerability could allow an unauthenticated attacker to obtain a valid session ID with administrator privileges by spoofing the login request, potentially allowing the attacker to modify the behaviour of the access point.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of a public-facing web management interface on the access point via session fixation to obtain unauthenticated admin access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 requires mechanisms to protect the authenticity of communications sessions, directly mitigating session fixation by preventing attackers from spoofing login requests to obtain valid administrator session IDs.
AC-12 enforces session termination after defined conditions such as inactivity, limiting the exploitation window for any fixed or spoofed administrator sessions obtained via the vulnerability.
AC-10 limits concurrent sessions per account, preventing attackers from using a spoofed administrator session simultaneously with legitimate sessions on the access point.