CVE-2025-63217

CriticalPublic PoC

Published: 18 November 2025

Published

18 November 2025

Modified

15 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 33.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63217 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Itel Id Mux Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

Requires verification of authenticators such as JWT tokens prior to granting access, directly mitigating improper validation that allows cross-device reuse.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations in accordance with access control policies, preventing authentication bypass and unauthorized administrative access via flawed JWT checks.

IA-8 Identification and Authentication (Non-organizational Users) good match

prevent

Mandates identification and authentication for non-organizational users, countering the vulnerability that permits remote attackers to gain admin access with reused JWT tokens.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE enables remote unauthenticated authentication bypass via JWT token reuse on network-accessible devices, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The Itel DAB MUX (IDMUX build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device…

running the same firmware, even if the passwords and networks are different. This allows full compromise of affected devices.

Deeper analysisAI

CVE-2025-63217 is an authentication bypass vulnerability (CWE-288) in the Itel DAB MUX (IDMUX build c041640a), published on 2025-11-18. The flaw arises from improper JWT validation, allowing tokens to be shared across devices running the same firmware. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impact on confidentiality, integrity, and availability.

Any remote attacker can exploit this vulnerability without privileges or user interaction by obtaining a valid JWT token from one affected device and reusing it to authenticate with administrative access on any other device with the same firmware. This works even across devices with different passwords or networks, enabling full compromise of the targeted devices.

Mitigation details and further information are available in the referenced advisories, including vulnerability research at https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63217%20_%20Itel%20DAB%20MUX%20Authentication%20Bypass and the vendor site at https://www.itel.it/.