Cyber Resilience

CVE-2025-64281

Critical

Published: 12 November 2025

Published
12 November 2025
Modified
31 December 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 29.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64281 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Centralsquare Community Development. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-64281 is an authentication bypass vulnerability, classified under CWE-288, affecting CentralSquare Community Development version 19.5.7. This flaw enables attackers to gain unauthorized access to the admin panel without requiring valid admin credentials. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high potential impact on confidentiality, integrity, and availability.

The vulnerability can be exploited by remote, unauthenticated attackers over the network with low attack complexity and no need for user interaction or privileges. Successful exploitation provides full access to the admin panel, allowing attackers to perform administrative actions, potentially leading to complete compromise of the affected system.

Mitigation guidance and additional details are available in advisories referenced at https://centralsquare.com and https://machevalia.blog/blog/multiple-vulnerabilities-in-centralsquare-etrakit-and-ivr. The CVE was published on 2025-11-12T16:15:37.090.

EU & UK References

Vulnerability details

An Authentication Bypass issue in CentralSquare Community Development 19.5.7 allows attackers to access the admin panel without admin credentials.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an authentication bypass in a public-facing web application (admin panel), directly enabling exploitation for initial access as described in T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-29980Same vendor: Centralsquare
CVE-2025-10294Shared CWE-288
CVE-2026-3461Shared CWE-288
CVE-2025-67070Shared CWE-288
CVE-2026-42760Shared CWE-288
CVE-2026-44575Shared CWE-288
CVE-2026-1779Shared CWE-288
CVE-2025-0316Shared CWE-288
CVE-2026-45109Shared CWE-288
CVE-2025-5397Shared CWE-288

Affected Assets

centralsquare
community development
19.5.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly limits actions performable without identification and authentication, preventing unauthorized admin panel access via bypass.

prevent

Enforces approved authorizations for access to system resources like the admin panel, mitigating authentication bypass vulnerabilities.

prevent

Requires identification and authentication of organizational users for admin functions, directly countering credential-less access exploits.

References