CVE-2025-69602

CriticalPublic PoC

Published: 28 January 2026

Published

28 January 2026

Modified

09 February 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0009 25.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-69602 is a critical-severity Session Fixation (CWE-384) vulnerability in Altumcode 66Biolinks. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 25.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and AC-12 (Session Termination).

Threat & Defense at a Glance

What attackers do: exploitation maps to Browser Session Hijacking (T1185). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

Directly requires mechanisms to protect communications session authenticity, such as regenerating session identifiers after authentication to prevent fixation and hijacking.

IA-5 Authenticator Management partial match

prevent

Mandates management and periodic refreshing of authenticators, including session identifiers, to avoid reuse across authentications.

AC-12 Session Termination partial match

prevent

Enforces session termination after defined conditions, limiting the exploitation window for fixed sessions.

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

Why these techniques?

Session fixation directly enables browser session hijacking by allowing an attacker to control a session cookie that becomes valid post-authentication.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A session fixation vulnerability exists in 66biolinks v62.0.0 by AltumCode, where the application does not regenerate the session identifier after successful authentication. As a result, the same session cookie value is reused for users logging in from the same browser,…

allowing an attacker who can set or predict a session ID to potentially hijack an authenticated session.

Deeper analysisAI

CVE-2025-69602 is a session fixation vulnerability in 66biolinks version 62.0.0, a product developed by AltumCode. The flaw occurs because the application does not regenerate the session identifier after successful authentication, resulting in the reuse of the same session cookie value for users logging in from the same browser. This allows an attacker who can set or predict a session ID to potentially hijack an authenticated session. The vulnerability is classified under CWE-384 and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). It was published on 2026-01-28T19:16:24.017.

The vulnerability can be exploited remotely by any unauthenticated attacker over the network with low attack complexity and no user interaction required. By injecting or predicting a session ID—such as through a crafted link or prior observation of session behavior—the attacker can fixate the session before a victim logs in. Upon successful authentication, the victim unwittingly adopts the attacker's session, enabling the attacker to hijack the session and access sensitive data or perform actions with the victim's privileges, compromising high confidentiality and integrity.

Advisory details, including potential mitigation steps, are available in the referenced GitHub Gist at https://gist.github.com/Waqar-Arain/c8117308325a91b8f3b7829646915275.