Cyber Posture

CVE-2025-68621

HighPublic PoC

Published: 06 February 2026

Published
06 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0003 10.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68621 is a high-severity Observable Timing Discrepancy (CWE-208) vulnerability in Triliumnotes Trilium. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-30 Concealment and Misdirection
addresses: CWE-208

Timing randomization or delays can mask true operation timing and mislead timing-based attacks.

SC-31 Covert Channel Analysis
addresses: CWE-208

Observable timing discrepancies are a primary mechanism for constructing covert timing channels; analysis identifies and bounds them, limiting exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Timing attack enables remote authentication bypass on the exposed sync endpoint of a public-facing application, directly matching T1190 for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. Prior to 0.101.0, a critical timing attack vulnerability in Trilium's sync authentication endpoint allows unauthenticated remote attackers to recover HMAC authentication hashes…

more

byte-by-byte through statistical timing analysis. This enables complete authentication bypass without password knowledge, granting full read/write access to victim's knowledge base. This vulnerability is fixed in 0.101.0.

Deeper analysisAI

Trilium Notes, an open-source cross-platform hierarchical note-taking application designed for building large personal knowledge bases, is affected by CVE-2025-68621. This critical timing attack vulnerability, classified under CWE-208 (Observable Timing Discrepancy), exists in the sync authentication endpoint in versions prior to 0.101.0. It enables attackers to recover HMAC authentication hashes byte-by-byte via statistical timing analysis, with a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Unauthenticated remote attackers can exploit this vulnerability over the network by sending crafted authentication requests and measuring response times with high precision. Through repeated statistical analysis, they can reconstruct the full HMAC hash without knowing the password, achieving complete authentication bypass. Successful exploitation grants full read/write access to the victim's knowledge base.

The vulnerability is addressed in Trilium Notes version 0.101.0. Security practitioners should upgrade to this version immediately. Additional mitigation details are available in the GitHub security advisory at https://github.com/TriliumNext/Trilium/security/advisories/GHSA-hxf6-58cx-qq3x and the fixing pull request at https://github.com/TriliumNext/Trilium/pull/8129.

Details

CWE(s)
CWE-208

Affected Products

triliumnotes
trilium
≤ 0.101.0

CVEs Like This One

CVE-2026-40972Shared CWE-208
CVE-2026-28464Shared CWE-208
CVE-2026-5086Shared CWE-208
CVE-2026-41588Shared CWE-208
CVE-2025-70949Shared CWE-208
CVE-2025-48630Shared CWE-208
CVE-2024-42512Shared CWE-208
CVE-2024-13939Shared CWE-208
CVE-2026-23519Shared CWE-208

References