Cyber Resilience

CVE-2025-57266

Critical

Published: 29 September 2025

Published
29 September 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0022 44.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57266 is a critical-severity Improper Access Control (CWE-284) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-57266 is a vulnerability discovered in the AssistantController.java file within the ThriveX Blogging Framework, affecting versions 2.5.9 through 3.1.3. The flaw allows unauthenticated attackers to access sensitive information, such as API keys, by sending requests to the exposed /api/assistant/list endpoint. It is classified under CWE-284 (Improper Access Control) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

Unauthenticated attackers with network access can exploit this vulnerability remotely with low attack complexity and no user interaction or privileges required. Exploitation involves querying the /api/assistant/list endpoint, which improperly discloses sensitive data like API keys, potentially enabling further unauthorized actions depending on the keys' privileges.

Mitigation details and additional context are available in the referenced advisories: https://gist.github.com/candyb0x/fccc49a989473b7f1e47479619eaf1ca and https://github.com/LiuYuYang01/ThriveX-Server/issues/55. The CVE was published on 2025-09-29.

EU & UK References

Vulnerability details

An issue was discovered in file AssistantController.java in ThriveX Blogging Framework 2.5.9 thru 3.1.3 allowing unauthenticated attackers to gain sensitive information such as API Keys via the /api/assistant/list endpoint.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Direct remote exploitation of exposed public API endpoint due to missing access control (T1190), resulting in disclosure of API keys as unsecured credentials (T1552).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23782Shared CWE-284
CVE-2026-22566Shared CWE-284
CVE-2025-25381Shared CWE-284
CVE-2026-39339Shared CWE-284
CVE-2026-46839Shared CWE-284
CVE-2025-26010Shared CWE-284
CVE-2026-34291Shared CWE-284
CVE-2023-47539Shared CWE-284
CVE-2026-23899Shared CWE-284
CVE-2025-7016Shared CWE-284

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations for access to system resources, directly preventing unauthenticated attackers from accessing sensitive API keys via the /api/assistant/list endpoint.

prevent

SC-14 implements restrictions on publicly accessible system interfaces, mitigating exposure of the unauthenticated /api/assistant/list API endpoint.

prevent

AC-22 controls access to publicly accessible content, protecting sensitive information like API keys disclosed by the vulnerable endpoint.

References