CVE-2025-52689

Critical

Published: 16 July 2025

Published

16 July 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0078 73.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-52689 is a critical-severity Session Fixation (CWE-384) vulnerability in Uhg (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and AC-10 (Concurrent Session Control).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

SC-23 requires mechanisms to protect the authenticity of communications sessions, directly mitigating session fixation by preventing attackers from spoofing login requests to obtain valid administrator session IDs.

AC-12 Session Termination partial match

prevent

AC-12 enforces session termination after defined conditions such as inactivity, limiting the exploitation window for any fixed or spoofed administrator sessions obtained via the vulnerability.

AC-10 Concurrent Session Control partial match

prevent

AC-10 limits concurrent sessions per account, preventing attackers from using a spoofed administrator session simultaneously with legitimate sessions on the access point.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Direct remote exploitation of a public-facing web management interface on the access point via session fixation to obtain unauthenticated admin access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Successful exploitation of the vulnerability could allow an unauthenticated attacker to obtain a valid session ID with administrator privileges by spoofing the login request, potentially allowing the attacker to modify the behaviour of the access point.

Deeper analysisAI

CVE-2025-52689, published on 2025-07-16, is a CWE-384 (session fixation) vulnerability with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). It affects OmniAccess Stellar access points, enabling an unauthenticated attacker to obtain a valid session ID with administrator privileges by spoofing the login request, which could allow modification of the access point's behavior.

The vulnerability can be exploited remotely over the network by any unauthenticated attacker with low complexity and no user interaction required. Successful exploitation grants administrator-level session access, potentially leading to high confidentiality, integrity, and availability impacts, such as altering access point configurations.

Advisories including Singapore's CSA alert AL-2025-072, AL-Enterprise security advisory SA-N0150 on OmniAccess Stellar multiple vulnerabilities, and a technical blog post from UltimateHG detail the issue, with a proof-of-concept exploit available on GitHub at UltimateHG/CVE-2025-52689-PoC. Practitioners should consult these for specific patch information and mitigation guidance.