Cyber Resilience

CVE-2025-58130

Critical

Published: 12 December 2025

Published
12 December 2025
Modified
18 December 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0010 26.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-58130 is a critical-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Apache Fineract. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-28 (Protection of Information at Rest).

Deeper analysis

Apache Fineract, an open-source core banking platform, is affected by CVE-2025-58130, an Insufficiently Protected Credentials vulnerability classified under CWE-522. This flaw impacts all versions of Apache Fineract through 1.11.0, where credentials are not adequately safeguarded, potentially exposing sensitive authentication data. The vulnerability carries a CVSS v3.1 base score of 9.1, indicating critical severity due to its high impact on confidentiality and integrity.

Remote attackers require no privileges, authentication, or user interaction to exploit this issue over the network with low complexity. Successful exploitation allows unauthenticated adversaries to access protected credentials, enabling high-level compromise of confidentiality by reading sensitive data and integrity by modifying it, without affecting availability.

Apache advisories confirm the issue is fixed in version 1.12.1, with users strongly encouraged to upgrade to the latest release, 1.13.0, for comprehensive protection. Relevant discussions are available in the Apache mailing list announcement and OSS-Security mailing list post.

EU & UK References

Vulnerability details

Insufficiently Protected Credentials vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1. Users are encouraged to upgrade to version 1.13.0, the latest release.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
Why these techniques?

Unauthenticated remote exploitation of a public-facing banking platform vulnerability enables initial access (T1190) and specifically facilitates credential collection via software exploitation (T1212) by exposing and allowing modification of insufficiently protected credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-32838Same product: Apache Fineract
CVE-2026-46586Same vendor: Apache
CVE-2026-41873Same vendor: Apache
CVE-2025-24783Same vendor: Apache
CVE-2024-53678Same vendor: Apache
CVE-2026-34059Same vendor: Apache
CVE-2026-40961Same vendor: Apache
CVE-2025-48913Same vendor: Apache
CVE-2025-65114Same vendor: Apache
CVE-2026-27446Same vendor: Apache

Affected Assets

apache
fineract
≤ 1.12.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring identification, reporting, and timely patching of the insufficiently protected credentials flaw in Apache Fineract versions through 1.11.0.

prevent

Ensures authenticators such as credentials in Apache Fineract are securely managed, protected from unauthorized disclosure, and properly handled to prevent exposure to unauthenticated attackers.

prevent

Implements cryptographic protection for credentials at rest, directly addressing the insufficient protection that allows remote unauthenticated access in vulnerable Fineract versions.

References