CVE-2025-69203
Published: 01 January 2026
Summary
CVE-2025-69203 is a medium-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Signalk Signal K Server. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Match Legitimate Resource Name or Location (T1036.005); ranked at the 9.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Reveals spoofed logon attempts through unexpected previous logon timestamps upon legitimate login.
Training specifically addresses recognizing spoofed communications and phishing that enable authentication bypass.
Requiring verifiable identity evidence at appropriate assurance levels makes it substantially harder for attackers to successfully spoof or impersonate users to obtain accounts.
Unique device authentication makes successful spoofing of device identity substantially more difficult to achieve.
Unique identification of non-organizational users reduces the feasibility of authentication bypass by spoofing.
Unique identification and authentication of services before communications makes spoofing of service identities substantially harder.
Isolated trusted path ensures the user interacts only with genuine system components, preventing spoofing of authentication interfaces or prompts.
Directly counters DNS response spoofing by requiring cryptographic origin authentication artifacts from the authoritative source.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
UI manipulation + device name enumeration + XFF spoofing directly enable masquerading (T1036.005) to obtain valid admin accounts (T1078) via social engineering on a public-facing app (T1190), resulting in privilege escalation (T1068).
NVD Description
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the access request system have two related features that when combined by themselves and with an information disclosure vulnerability…
more
enable convincing social engineering attacks against administrators. When a device creates an access request, it specifies three fields: `clientId`, `description`, and `permissions`. The SignalK admin UI displays the `description` field prominently to the administrator when showing pending requests, but the actual `permissions` field (which determines the access level granted) is less visible or displayed separately. This allows an attacker to request `admin` permissions while providing a description that suggests readonly access. The access request handler trusts the `X-Forwarded-For` HTTP header without validation to determine the client's IP address. This header is intended to preserve the original client IP when requests pass through reverse proxies, but when trusted unconditionally, it allows attackers to spoof their IP address. The spoofed IP is displayed to administrators in the access request approval interface, potentially making malicious requests appear to originate from trusted internal network addresses. Since device/source names can be enumerated via the information disclosure vulnerability, an attacker can impersonate a legitimate device or source, craft a convincing description, spoof a trusted internal IP address, and request elevated permissions, creating a highly convincing social engineering scenario that increases the likelihood of administrator approval. Users should upgrade to version 2.19.0 to fix this issue.
Deeper analysisAI
CVE-2025-69203 affects Signal K Server, a server application that runs on a central hub in a boat, specifically versions prior to 2.19.0 in the access request system. The vulnerability arises from two related features: the admin UI prominently displays the `description` field from access requests while making the `permissions` field less visible or separate, allowing attackers to request `admin` permissions with a misleading readonly description; and the access request handler unconditionally trusts the `X-Forwarded-For` HTTP header to determine client IP addresses, enabling IP spoofing. These issues, combined with an information disclosure vulnerability that allows enumeration of device/source names, facilitate convincing social engineering attacks against administrators.
Any network-accessible attacker without privileges can exploit this by crafting an access request that impersonates a legitimate device using an enumerated name, provides a benign `description` suggesting readonly access, requests elevated `admin` permissions, and spoofs a trusted internal IP address via the `X-Forwarded-For` header. This creates a highly convincing approval interface for administrators, who may grant the request due to the apparent legitimacy, resulting in unauthorized elevated access to the server and potential low-level impacts on confidentiality, integrity, and availability as scored by CVSS 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).
Advisories recommend upgrading to Signal K Server version 2.19.0, which addresses these issues in the access request system, as detailed in the GitHub security advisory (GHSA-vfrf-vcj7-wvr8) and release notes (v2.19.0).
Details
- CWE(s)