CVE-2025-58130

Critical

Published: 12 December 2025

Published

12 December 2025

Modified

18 December 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0006 19.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-58130 is a critical-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Apache Fineract. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-28 (Protection of Information at Rest).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring identification, reporting, and timely patching of the insufficiently protected credentials flaw in Apache Fineract versions through 1.11.0.

IA-5 Authenticator Management good match

prevent

Ensures authenticators such as credentials in Apache Fineract are securely managed, protected from unauthorized disclosure, and properly handled to prevent exposure to unauthenticated attackers.

SC-28 Protection of Information at Rest good match

prevent

Implements cryptographic protection for credentials at rest, directly addressing the insufficient protection that allows remote unauthenticated access in vulnerable Fineract versions.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1212 Exploitation for Credential Access Credential Access

Adversaries may exploit software vulnerabilities in an attempt to collect credentials.

attack.mitre.org →

Why these techniques?

Unauthenticated remote exploitation of a public-facing banking platform vulnerability enables initial access (T1190) and specifically facilitates credential collection via software exploitation (T1212) by exposing and allowing modification of insufficiently protected credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Insufficiently Protected Credentials vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1. Users are encouraged to upgrade to version 1.13.0, the latest release.

Deeper analysisAI

Apache Fineract, an open-source core banking platform, is affected by CVE-2025-58130, an Insufficiently Protected Credentials vulnerability classified under CWE-522. This flaw impacts all versions of Apache Fineract through 1.11.0, where credentials are not adequately safeguarded, potentially exposing sensitive authentication data. The vulnerability carries a CVSS v3.1 base score of 9.1, indicating critical severity due to its high impact on confidentiality and integrity.

Remote attackers require no privileges, authentication, or user interaction to exploit this issue over the network with low complexity. Successful exploitation allows unauthenticated adversaries to access protected credentials, enabling high-level compromise of confidentiality by reading sensitive data and integrity by modifying it, without affecting availability.

Apache advisories confirm the issue is fixed in version 1.12.1, with users strongly encouraged to upgrade to the latest release, 1.13.0, for comprehensive protection. Relevant discussions are available in the Apache mailing list announcement and OSS-Security mailing list post.

Details

CWE(s): CWE-522

Affected Products

apache

fineract

≤ 1.12.1

CVEs Like This One

CVE-2024-32838Same product: Apache Fineract

CVE-2024-55532Same vendor: Apache

CVE-2026-31908Same vendor: Apache

CVE-2025-54466Same vendor: Apache

CVE-2026-40466Same vendor: Apache

CVE-2025-24783Same vendor: Apache

CVE-2026-24343Same vendor: Apache

CVE-2025-66614Same vendor: Apache

CVE-2026-29146Same vendor: Apache

CVE-2025-59059Same vendor: Apache

References

https://lists.apache.org/thread/d9zpkc86zk265523tfvbr8w7gyr6onoy
Issue Tracking, Vendor Advisory · security@apache.org
http://www.openwall.com/lists/oss-security/2025/12/11/6
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108