CVE-2025-67274
Published: 26 January 2026
Summary
CVE-2025-67274 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Continuous.Software Aangine. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AU-13 (Monitoring for Information Disclosure).
Deeper analysis
CVE-2025-67274 is an information disclosure vulnerability (CWE-200) in continuous.software's Aangine version 2025.2. The issue affects multiple endpoints, including the excel-integration-service template download module, integration-persistence-service job listing module, and portfolio-item-service data retrieval module, enabling unauthorized access to sensitive information. Published on 2026-01-26, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to its confidentiality impact.
A remote attacker can exploit this vulnerability over the network with low attack complexity, requiring no authentication, privileges, or user interaction. Exploitation targets the specified service endpoints to extract sensitive data, resulting in high confidentiality impact while leaving integrity and availability unaffected.
Mitigation details are available in vendor resources linked to the CVE, including https://aangine.com, https://continuous.software/products, and https://gist.github.com/c4m0uflag3/26fec868b764c4e7314ad246bab01c88. Security practitioners should consult these for patching instructions, workarounds, or updated configurations specific to Aangine v2025.2 deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206358
Vulnerability details
An issue in continuous.software aangine v.2025.2 allows a remote attacker to obtain sensitive information via the excel-integration-service template download module, integration-persistence-service job listing module, portfolio-item-service data retrieval module endpoints
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated info disclosure via public service endpoints directly enables exploitation of a public-facing application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediates the specific software flaw in Aangine v2025.2 that allows unauthorized access to sensitive information via the affected endpoints.
Enforces approved authorizations to block unauthenticated remote access to sensitive data in the excel-integration-service, integration-persistence-service, and portfolio-item-service endpoints.
Monitors and alerts on unauthorized information disclosure attempts targeting the vulnerable endpoints.