Cyber Resilience

CVE-2025-66698

HighPublic PoC

Published: 13 January 2026

Published
13 January 2026
Modified
05 February 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0050 39.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-66698 is a high-severity Improper Authentication (CWE-287) vulnerability in Semantic-Machines Veda. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).

Deeper analysis

CVE-2025-66698 is an authentication bypass vulnerability affecting Semantic Machines version 5.4.8. The flaw, classified under CWE-287 (Improper Authentication), allows attackers to circumvent authentication mechanisms by sending a crafted HTTP request to various API endpoints. It has a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, expanded scope, and high confidentiality impact.

A remote, unauthenticated attacker can exploit this vulnerability over the network with minimal effort. By crafting and transmitting a malicious HTTP request to targeted API endpoints, the attacker bypasses authentication controls, gaining unauthorized access to potentially sensitive data or functionality. The impact is primarily on confidentiality, enabling the disclosure of high-value information without affecting integrity or availability.

Mitigation details are available in vendor advisories and related resources, including those at http://semantic.com, http://veda.com, and https://github.com/Perunchess/CVE-2025-66698, published on 2026-01-13. Security practitioners should consult these references for patch information, workarounds, or configuration guidance specific to Semantic Machines v5.4.8.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An issue in Semantic machines v5.4.8 allows attackers to bypass authentication via sending a crafted HTTP request to various API endpoints.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2025-66698 enables remote unauthenticated attackers to bypass authentication on public-facing API endpoints via crafted HTTP requests, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-1044Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2026-7022Shared CWE-287
CVE-2024-13111Shared CWE-287
CVE-2026-29145Shared CWE-287
CVE-2018-25236Shared CWE-287
CVE-2024-53704Shared CWE-287
CVE-2024-57049Shared CWE-287
CVE-2025-12374Shared CWE-287
CVE-2025-15484Shared CWE-287

Affected Assets

semantic-machines
veda
5.4.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations for access to system resources, directly countering authentication bypass by ensuring only authenticated requests succeed.

prevent

IA-8 requires unique identification and authentication of non-organizational users, preventing remote unauthenticated attackers from exploiting API endpoints.

preventrecover

SI-2 identifies, reports, and corrects flaws like this CVE's authentication bypass through timely patching and remediation per vendor advisories.

References