Cyber Resilience

CVE-2025-69203

MediumPublic PoC

Published: 01 January 2026

Published
01 January 2026
Modified
06 January 2026
KEV Added
Patch
CVSS Score v3.1 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
EPSS Score 0.0027 18.7th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-69203 is a medium-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Signalk Signal K Server. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Match Legitimate Resource Name or Location (T1036.005); ranked at the 18.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-69203 affects Signal K Server, a server application that runs on a central hub in a boat, specifically versions prior to 2.19.0 in the access request system. The vulnerability arises from two related features: the admin UI prominently displays the `description` field from access requests while making the `permissions` field less visible or separate, allowing attackers to request `admin` permissions with a misleading readonly description; and the access request handler unconditionally trusts the `X-Forwarded-For` HTTP header to determine client IP addresses, enabling IP spoofing. These issues, combined with an information disclosure vulnerability that allows enumeration of device/source names, facilitate convincing social engineering attacks against administrators.

Any network-accessible attacker without privileges can exploit this by crafting an access request that impersonates a legitimate device using an enumerated name, provides a benign `description` suggesting readonly access, requests elevated `admin` permissions, and spoofs a trusted internal IP address via the `X-Forwarded-For` header. This creates a highly convincing approval interface for administrators, who may grant the request due to the apparent legitimacy, resulting in unauthorized elevated access to the server and potential low-level impacts on confidentiality, integrity, and availability as scored by CVSS 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).

Advisories recommend upgrading to Signal K Server version 2.19.0, which addresses these issues in the access request system, as detailed in the GitHub security advisory (GHSA-vfrf-vcj7-wvr8) and release notes (v2.19.0).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the access request system have two related features that when combined by themselves and with an information disclosure vulnerability…

more

enable convincing social engineering attacks against administrators. When a device creates an access request, it specifies three fields: `clientId`, `description`, and `permissions`. The SignalK admin UI displays the `description` field prominently to the administrator when showing pending requests, but the actual `permissions` field (which determines the access level granted) is less visible or displayed separately. This allows an attacker to request `admin` permissions while providing a description that suggests readonly access. The access request handler trusts the `X-Forwarded-For` HTTP header without validation to determine the client's IP address. This header is intended to preserve the original client IP when requests pass through reverse proxies, but when trusted unconditionally, it allows attackers to spoof their IP address. The spoofed IP is displayed to administrators in the access request approval interface, potentially making malicious requests appear to originate from trusted internal network addresses. Since device/source names can be enumerated via the information disclosure vulnerability, an attacker can impersonate a legitimate device or source, craft a convincing description, spoof a trusted internal IP address, and request elevated permissions, creating a highly convincing social engineering scenario that increases the likelihood of administrator approval. Users should upgrade to version 2.19.0 to fix this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1036.005 Match Legitimate Resource Name or Location Stealth
Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

UI manipulation + device name enumeration + XFF spoofing directly enable masquerading (T1036.005) to obtain valid admin accounts (T1078) via social engineering on a public-facing app (T1190), resulting in privilege escalation (T1068).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33950Same product: Signalk Signal K Server
CVE-2025-68619Same product: Signalk Signal K Server
CVE-2025-66398Same product: Signalk Signal K Server
CVE-2026-33951Same product: Signalk Signal K Server
CVE-2026-23515Same product: Signalk Signal K Server
CVE-2025-68620Same product: Signalk Signal K Server
CVE-2026-39320Same product: Signalk Signal K Server
CVE-2025-68272Same product: Signalk Signal K Server
CVE-2026-22734Shared CWE-290
CVE-2026-42354Shared CWE-290

Affected Assets

signalk
signal k server
2.19.0 · ≤ 2.19.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates unconditional trust of the X-Forwarded-For header by requiring validation of all untrusted input used for client identification and display.

prevent

Enforces that access decisions and permission grants are based on the actual requested permissions rather than misleading description text shown in the admin UI.

prevent

Requires cryptographic or authenticated device identification so that enumerated names and spoofed IPs cannot be used to impersonate legitimate devices in access requests.

References