CVE-2025-57130
Published: 05 November 2025
Summary
CVE-2025-57130 is a high-severity Improper Access Control (CWE-284) vulnerability in Zwiicms Zwiicms. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 41.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-57130, published on 2025-11-05, is an Incorrect Access Control vulnerability (CWE-284) in the user management component of ZwiiCMS up to version 13.6.07. It allows a remote, authenticated attacker to escalate privileges by sending a specially crafted HTTP request, enabling a low-privilege user to access and modify the profile data of any other user, including administrators. The issue carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L), indicating high severity due to network accessibility, low complexity, and significant impacts on confidentiality and integrity.
The attack requires an authenticated low-privilege account with network access to the vulnerable ZwiiCMS instance. An attacker can exploit it without user interaction by crafting and sending an HTTP request to the user management endpoint, gaining unauthorized read and write access to other users' profiles. This enables privilege escalation, such as modifying administrative credentials or roles, potentially leading to full system compromise.
Advisories and mitigation details are available in the provided references, including the official ZwiiCMS site at http://zwiicms.com and a Nivel4 blog post at https://blog.nivel4.com/noticias/cve-2025-57130-especialistas-de-nivel4-identifican-falla-de-alta-severidad-en-gestor-de-contenidos, which discusses the high-severity flaw in the content management system.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-37897
Vulnerability details
An Incorrect Access Control vulnerability in the user management component of ZwiiCMS up to v13.6.07 allows a remote, authenticated attacker to escalate their privileges. By sending a specially crafted HTTP request, a low-privilege user can access and modify the profile…
more
data of any other user, including administrators.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an incorrect access control flaw in a public-facing CMS user management component, enabling remote authenticated low-privilege attackers to escalate privileges via crafted HTTP requests (T1068: Exploitation for Privilege Escalation) by exploiting the web application (T1190: Exploit Public-Facing Application).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 enforces approved authorizations for logical access to user profiles, directly preventing low-privilege users from modifying other users' data including administrators via crafted HTTP requests.
AC-6 applies least privilege to restrict low-privilege users from escalating access or modifying higher-privilege user profiles in the user management component.
AC-2 manages accounts and privileges to ensure unauthorized modifications to user profiles, including roles and credentials, are prevented through proper provisioning and review processes.