Cyber Resilience

CVE-2025-54378

HighPublic PoC

Published: 26 July 2025

Published
26 July 2025
Modified
21 August 2025
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
EPSS Score 0.0034 57.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54378 is a high-severity Improper Authorization (CWE-285) vulnerability in Psu Haxcms-Nodejs. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 42.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource.…

more

Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operation. The API endpoints within the HAX CMS application check if a user is authenticated, but don't check for authorization before performing an operation. This is fixed in versions 11.0.14 of haxcms-nodejs and 11.0.9 of haxcms-php.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
T1213 Data from Information Repositories Collection
Adversaries may leverage information repositories to mine valuable information.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
T1565 Data Manipulation Impact
Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Missing authorization in API endpoints enables authenticated users to enumerate sites/nodes (T1083), access local config files potentially containing credentials (T1005, T1552), collect data from CMS repositories (T1213), and manipulate or destroy other users' site data (T1565, T1485).

Affected Assets

psu
haxcms-nodejs
≤ 11.0.14
psu
haxcms-php
≤ 11.0.9

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-285 CWE-862

Documented procedures facilitate correct implementation and ongoing management of authorization decisions.

addresses: CWE-285 CWE-862

Periodic reviews identify and correct flaws in authorization decisions or enforcement.

addresses: CWE-862 CWE-285

Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review.

addresses: CWE-285 CWE-862

Establishing permitted attributes and values, plus auditing changes, ensures authorization decisions are based on correctly managed policy data.

addresses: CWE-285 CWE-862

Explicitly mandates authorizing remote access types before permitting connections, directly mitigating improper authorization.

addresses: CWE-285 CWE-862

The control explicitly requires authorization of each wireless access type prior to permitting connections.

addresses: CWE-285 CWE-862

Mandating explicit authorization of mobile device connections reduces the risk of improper authorization decisions for system access.

addresses: CWE-285 CWE-862

Specifying access authorizations for each account and requiring approvals for account requests enforces proper authorization decisions.

References