CVE-2025-54816

Critical

Published: 22 January 2026

Published

22 January 2026

Modified

02 February 2026

KEV Added

—

Patch

—

CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.0010 26.8th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54816 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Evmapa Evmapa. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-17 (Remote Access).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

AC-14 explicitly defines and restricts actions permitted without identification or authentication, directly preventing unauthorized WebSocket connections due to missing authentication enforcement.

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved access authorizations in the system, ensuring authentication is required before allowing connections to the vulnerable WebSocket endpoint.

AC-17 Remote Access good match

prevent

AC-17 authorizes, monitors, and controls remote access sessions, mitigating unauthorized remote connections to the WebSocket endpoint over the network.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Missing authentication on public WebSocket endpoint directly enables remote exploitation of a public-facing application for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

This vulnerability occurs when a WebSocket endpoint does not enforce proper authentication mechanisms, allowing unauthorized users to establish connections. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that…

no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system.

Deeper analysisAI

CVE-2025-54816 is a vulnerability in a WebSocket endpoint that does not enforce proper authentication mechanisms, allowing unauthorized users to establish connections. Published on 2026-01-22, it is associated with CWE-306 (Missing Authentication for Critical Function) and carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L). The issue enables attackers to gain unauthorized access to sensitive data or perform unauthorized actions, potentially leading to privilege escalation and compromise of the entire system.

The vulnerability can be exploited by any remote attacker with network access, requiring low complexity, no privileges, no user interaction, and no special scoping changes. Successful exploitation grants high confidentiality and integrity impacts with low availability impact, allowing unauthorized connections that expose sensitive data, enable unauthorized actions, escalate privileges, and threaten overall system security.

Mitigation details are provided in CISA advisory ICSA-26-022-08, available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08 and the corresponding CSAF JSON file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-08.json.