CVE-2025-69270
Published: 12 January 2026
Summary
CVE-2025-69270 is a low-severity Use of HTTP Request With Sensitive Query String (CWE-598) vulnerability in Broadcom Dx Netops Spectrum. Its CVSS base score is 2.3 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-69270 is an Information Exposure Through Query Strings in GET Request vulnerability (CWE-598) in Broadcom DX NetOps Spectrum on Windows and Linux platforms. Published on 2026-01-12, it affects versions 24.3.8 and earlier, enabling session hijacking by exposing sensitive information in GET request query strings.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network by unauthenticated attackers with low attack complexity and no user interaction. Attackers can intercept or predict session tokens exposed in query strings, allowing them to hijack active user sessions and potentially achieve high impacts on confidentiality, integrity, and availability.
Broadcom has published a security advisory with details on mitigation and patches, available at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1954
Vulnerability details
Information Exposure Through Query Strings in GET Request vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Session Hijacking.This issue affects DX NetOps Spectrum: 24.3.8 and earlier.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct exposure of session tokens in query strings enables remote exploitation of the public-facing web application (T1190) and subsequent web session hijacking via stolen tokens (T1539).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the specific software flaw in DX NetOps Spectrum that exposes session tokens in GET query strings, preventing session hijacking exploitation.
Protects the authenticity of communications sessions, directly mitigating session hijacking enabled by exposed session tokens in query strings.
Encrypts transmission of sensitive session information in query strings, reducing the risk of interception by unauthenticated remote attackers.