CVE-2025-70029
Published: 11 February 2026
Summary
CVE-2025-70029 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Sunbird Sunbirded-Portal. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 1.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SC-8 (Transmission Confidentiality and Integrity).
Deeper analysis
CVE-2025-70029 affects Sunbird-Ed's SunbirdEd-portal version 1.13.4, where the application disables TLS/SSL certificate validation by explicitly setting 'rejectUnauthorized': false in HTTP request options. This configuration leads to improper certificate validation (CWE-295), enabling attackers to obtain sensitive information. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and was published on 2026-02-11.
Any network-accessible attacker can exploit this vulnerability with low complexity, requiring no privileges, user interaction, or scope changes. Exploitation allows high-impact confidentiality breaches, such as intercepting sensitive data via man-in-the-middle attacks, as the lack of certificate validation exposes outbound HTTP requests to tampering or eavesdropping.
References for further details include a GitHub Gist at https://gist.github.com/zcxlighthouse/e662c8316f98a1c72735cda4f6bfcfe6, along with the Sunbird-Ed organization page at https://github.com/Sunbird-Ed and the SunbirdEd-portal repository at https://github.com/Sunbird-Ed/SunbirdEd-portal.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207396
Vulnerability details
An issue in Sunbird-Ed SunbirdEd-portal v1.13.4 allows attackers to obtain sensitive information. The application disables TLS/SSL certificate validation by setting 'rejectUnauthorized': false in HTTP request options
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Disabling certificate validation (rejectUnauthorized: false) directly enables successful Adversary-in-the-Middle attacks on outbound connections, allowing interception of sensitive data.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires cryptographic mechanisms to protect the confidentiality and integrity of transmitted information, preventing MITM attacks that succeed when rejectUnauthorized:false disables TLS certificate validation.
Mandates proper management and use of PKI certificates, which enforces certificate validation and directly blocks the insecure TLS configuration described in the CVE.
Requires establishing and enforcing secure configuration settings that would prohibit the explicit disabling of certificate validation in HTTP client options.