CVE-2025-63529

MediumPublic PoC

Published: 01 December 2025

Published

01 December 2025

Modified

02 December 2025

KEV Added

—

Patch

—

CVSS Score 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Score 0.0008 23.3th percentile

Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63529 is a medium-severity Session Fixation (CWE-384) vulnerability in Shridharshukl Blood Bank Management System. Its CVSS base score is 6.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and AC-10 (Concurrent Session Control).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

SC-23 requires mechanisms to protect communications session authenticity, directly preventing session fixation attacks such as reusing attacker-supplied session IDs after authentication.

AC-10 Concurrent Session Control partial match

prevent

AC-10 limits concurrent sessions per account, mitigating session fixation by enforcing single-session-per-user policies that invalidate prior sessions upon new authentication.

AC-12 Session Termination partial match

prevent

AC-12 enforces automatic session termination after defined conditions, reducing the time window available for attackers to exploit hijacked sessions.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a session fixation flaw in the public-facing login.php component of a web application, enabling remote unauthenticated attackers to hijack user sessions after tricking victims into visiting a link with a controlled session ID, directly mapping to exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A session fixation vulnerability exists in Blood Bank Management System 1.0 in login.php that allows an attacker to set or predict a user's session identifier prior to authentication. When the victim logs in, the application continues to use the attacker-supplied…

session ID rather than generating a new one, enabling the attacker to hijack the authenticated session and gain unauthorized access to the victim's account.

Deeper analysisAI

CVE-2025-63529 is a session fixation vulnerability in Blood Bank Management System 1.0, affecting the login.php component. It enables an attacker to set or predict a user's session identifier prior to authentication. When the victim logs in, the application continues using the attacker-supplied session ID rather than generating a new one.

A remote attacker with no privileges can exploit this vulnerability by tricking a user into visiting a malicious link or resource that includes the attacker's controlled session ID, such as via phishing. Once the victim authenticates, the attacker can hijack the session to gain unauthorized access to the victim's account. The issue carries a CVSS v3.1 base score of 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) and is associated with CWE-384.

Mitigation details are available in related advisories and resources, including https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing, https://github.com/Shridharshukl/Blood-Bank-Management-System, and https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63529.md.