Cyber Posture

CVE-2025-57266

Critical

Published: 29 September 2025

Published
29 September 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0020 41.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57266 is a critical-severity Improper Access Control (CWE-284) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

AC-3 enforces approved authorizations for access to system resources, directly preventing unauthenticated attackers from accessing sensitive API keys via the /api/assistant/list endpoint.

SC-14 Public Access Protections good match
prevent

SC-14 implements restrictions on publicly accessible system interfaces, mitigating exposure of the unauthenticated /api/assistant/list API endpoint.

AC-22 Publicly Accessible Content good match
prevent

AC-22 controls access to publicly accessible content, protecting sensitive information like API keys disclosed by the vulnerable endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
attack.mitre.org →
Why these techniques?

Direct remote exploitation of exposed public API endpoint due to missing access control (T1190), resulting in disclosure of API keys as unsecured credentials (T1552).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue was discovered in file AssistantController.java in ThriveX Blogging Framework 2.5.9 thru 3.1.3 allowing unauthenticated attackers to gain sensitive information such as API Keys via the /api/assistant/list endpoint.

Deeper analysisAI

CVE-2025-57266 is a vulnerability discovered in the AssistantController.java file within the ThriveX Blogging Framework, affecting versions 2.5.9 through 3.1.3. The flaw allows unauthenticated attackers to access sensitive information, such as API keys, by sending requests to the exposed /api/assistant/list endpoint. It is classified under CWE-284 (Improper Access Control) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

Unauthenticated attackers with network access can exploit this vulnerability remotely with low attack complexity and no user interaction or privileges required. Exploitation involves querying the /api/assistant/list endpoint, which improperly discloses sensitive data like API keys, potentially enabling further unauthorized actions depending on the keys' privileges.

Mitigation details and additional context are available in the referenced advisories: https://gist.github.com/candyb0x/fccc49a989473b7f1e47479619eaf1ca and https://github.com/LiuYuYang01/ThriveX-Server/issues/55. The CVE was published on 2025-09-29.

Details

CWE(s)
CWE-284

CVEs Like This One

CVE-2026-23782Shared CWE-284
CVE-2026-22566Shared CWE-284
CVE-2025-25381Shared CWE-284
CVE-2025-66956Shared CWE-284
CVE-2026-30707Shared CWE-284
CVE-2025-23243Shared CWE-284
CVE-2026-40595Shared CWE-284
CVE-2025-66509Shared CWE-284
CVE-2025-27649Shared CWE-284
CVE-2025-50900Shared CWE-284

References