CVE-2025-64281
Published: 12 November 2025
Summary
CVE-2025-64281 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Centralsquare Community Development. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-64281 is an authentication bypass vulnerability, classified under CWE-288, affecting CentralSquare Community Development version 19.5.7. This flaw enables attackers to gain unauthorized access to the admin panel without requiring valid admin credentials. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high potential impact on confidentiality, integrity, and availability.
The vulnerability can be exploited by remote, unauthenticated attackers over the network with low attack complexity and no need for user interaction or privileges. Successful exploitation provides full access to the admin panel, allowing attackers to perform administrative actions, potentially leading to complete compromise of the affected system.
Mitigation guidance and additional details are available in advisories referenced at https://centralsquare.com and https://machevalia.blog/blog/multiple-vulnerabilities-in-centralsquare-etrakit-and-ivr. The CVE was published on 2025-11-12T16:15:37.090.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-131926
Vulnerability details
An Authentication Bypass issue in CentralSquare Community Development 19.5.7 allows attackers to access the admin panel without admin credentials.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in a public-facing web application (admin panel), directly enabling exploitation for initial access as described in T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly limits actions performable without identification and authentication, preventing unauthorized admin panel access via bypass.
Enforces approved authorizations for access to system resources like the admin panel, mitigating authentication bypass vulnerabilities.
Requires identification and authentication of organizational users for admin functions, directly countering credential-less access exploits.