Cyber Resilience

CVE-2025-57130

High

Published: 05 November 2025

Published
05 November 2025
Modified
02 February 2026
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0019 41.3th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57130 is a high-severity Improper Access Control (CWE-284) vulnerability in Zwiicms Zwiicms. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 41.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-57130, published on 2025-11-05, is an Incorrect Access Control vulnerability (CWE-284) in the user management component of ZwiiCMS up to version 13.6.07. It allows a remote, authenticated attacker to escalate privileges by sending a specially crafted HTTP request, enabling a low-privilege user to access and modify the profile data of any other user, including administrators. The issue carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L), indicating high severity due to network accessibility, low complexity, and significant impacts on confidentiality and integrity.

The attack requires an authenticated low-privilege account with network access to the vulnerable ZwiiCMS instance. An attacker can exploit it without user interaction by crafting and sending an HTTP request to the user management endpoint, gaining unauthorized read and write access to other users' profiles. This enables privilege escalation, such as modifying administrative credentials or roles, potentially leading to full system compromise.

Advisories and mitigation details are available in the provided references, including the official ZwiiCMS site at http://zwiicms.com and a Nivel4 blog post at https://blog.nivel4.com/noticias/cve-2025-57130-especialistas-de-nivel4-identifican-falla-de-alta-severidad-en-gestor-de-contenidos, which discusses the high-severity flaw in the content management system.

EU & UK References

Vulnerability details

An Incorrect Access Control vulnerability in the user management component of ZwiiCMS up to v13.6.07 allows a remote, authenticated attacker to escalate their privileges. By sending a specially crafted HTTP request, a low-privilege user can access and modify the profile…

more

data of any other user, including administrators.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an incorrect access control flaw in a public-facing CMS user management component, enabling remote authenticated low-privilege attackers to escalate privileges via crafted HTTP requests (T1068: Exploitation for Privilege Escalation) by exploiting the web application (T1190: Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-29315Shared CWE-284
CVE-2025-55261Shared CWE-284
CVE-2026-21636Shared CWE-284
CVE-2024-53348Shared CWE-284
CVE-2025-20229Shared CWE-284
CVE-2026-24300Shared CWE-284
CVE-2026-20750Shared CWE-284
CVE-2025-2280Shared CWE-284
CVE-2025-70064Shared CWE-284
CVE-2024-44313Shared CWE-284

Affected Assets

zwiicms
zwiicms
≤ 13.6.07

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations for logical access to user profiles, directly preventing low-privilege users from modifying other users' data including administrators via crafted HTTP requests.

prevent

AC-6 applies least privilege to restrict low-privilege users from escalating access or modifying higher-privilege user profiles in the user management component.

prevent

AC-2 manages accounts and privileges to ensure unauthorized modifications to user profiles, including roles and credentials, are prevented through proper provisioning and review processes.

References