CVE-2025-59683

High

Published: 25 December 2025

Published

25 December 2025

Modified

05 January 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

EPSS Score 0.0024 47.7th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59683 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Pexip Pexip Infinity. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 directly enforces approved authorizations for access to system resources, addressing the core improper access control flaw that allows unauthorized remote reading of sensitive data.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and correction of system flaws like this CVE, with the vendor recommending upgrade to version 38.1 or later to fix the vulnerability.

SC-5 Denial-of-service Protection partial match

prevent

SC-5 protects against denial-of-service events by limiting effects of resource exhaustion caused by the attacker's excessive consumption in this vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The vulnerability is an improper access control in a network-accessible service (AV:N/PR:N), enabling exploitation of a public-facing application (T1190) for unauthorized data access and resource exhaustion leading to endpoint DoS via application exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Pexip Infinity 15.0 through 38.0 before 38.1 has Improper Access Control in the Secure Scheduler for Exchange service, when used with Office 365 Legacy Exchange Tokens. This allows a remote attacker to read potentially sensitive data and excessively consume resources,…

leading to a denial of service.

Deeper analysisAI

CVE-2025-59683 is an Improper Access Control vulnerability (CWE-863) in the Secure Scheduler for Exchange service of Pexip Infinity versions 15.0 through 38.0 before 38.1. This issue arises specifically when the service is used with Office 365 Legacy Exchange Tokens. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H), indicating high severity due to its network accessibility and impact potential.

A remote attacker requires no privileges or user interaction to exploit this vulnerability over the network with low attack complexity. Successful exploitation enables the attacker to read potentially sensitive data while also excessively consuming resources on the affected system, resulting in a denial-of-service condition.

The Pexip security bulletin at https://docs.pexip.com/admin/security_bulletins.htm details mitigation steps, including upgrading to Pexip Infinity version 38.1 or later to address the improper access control.