Cyber Resilience

CVE-2025-63225

CriticalPublic PoC

Published: 18 November 2025

Published
18 November 2025
Modified
04 February 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0041 61.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63225 is a critical-severity Improper Access Control (CWE-284) vulnerability in Eurolab-Srl Elts 100 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-63225, published on 2025-11-18, is a Broken Access Control vulnerability (CWE-284) in the Eurolab ELTS100_UBX device running firmware version ELTS100v1.UBX. It arises from missing authentication on critical administrative endpoints, enabling direct access to sensitive functions without any credentials. The issue has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.

Remote attackers require only network access to exploit this vulnerability, with no privileges, user interaction, or complex conditions needed. Successful exploitation allows attackers to modify sensitive system and network configurations, upload new firmware, and execute unauthorized actions. This grants full compromise of the device, enabling control over its functionality and potential disruption of operations.

Vendor advisories and vulnerability research are available at http://eurolab-srl.com/ and https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63225_Eurolab_ELTS100_UBX_Broken_Access_Control, which may provide further details on patches or mitigation steps.

EU & UK References

Vulnerability details

The Eurolab ELTS100_UBX device (firmware version ELTS100v1.UBX) is vulnerable to Broken Access Control due to missing authentication on critical administrative endpoints. Attackers can directly access and modify sensitive system and network configurations, upload firmware, and execute unauthorized actions without any…

more

form of authentication. This vulnerability allows remote attackers to fully compromise the device, control its functionality, and disrupt its operation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability involves missing authentication on public-facing administrative endpoints, directly enabling exploitation of a public-facing application for initial access and full device compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-39339Shared CWE-284
CVE-2026-46839Shared CWE-284
CVE-2025-26010Shared CWE-284
CVE-2026-34291Shared CWE-284
CVE-2023-47539Shared CWE-284
CVE-2026-23899Shared CWE-284
CVE-2025-7016Shared CWE-284
CVE-2026-46822Shared CWE-284
CVE-2024-37566Shared CWE-284
CVE-2026-30689Shared CWE-284

Affected Assets

eurolab-srl
elts 100 firmware
elts100v1.ubx

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly restricts and documents permitted actions without identification or authentication, ensuring critical administrative endpoints require credentials to prevent unauthorized access.

prevent

Enforces approved authorizations for access to system resources including administrative endpoints, comprehensively addressing the missing access enforcement on sensitive functions.

prevent

Mandates identification and authentication for services and non-organizational users before establishing network connections to device endpoints, blocking unauthenticated remote exploitation.

References