Cyber Resilience

CVE-2025-7014

MediumUpdated

Published: 29 January 2026

Published
29 January 2026
Modified
05 June 2026
KEV Added
Patch
CVSS Score v3.1 5.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.0030 21.8th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-7014 is a medium-severity Session Fixation (CWE-384) vulnerability in Qrmenumpro Menu Panel. Its CVSS base score is 5.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 21.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and AC-12 (Session Termination).

Deeper analysis

CVE-2025-7014 is a Session Fixation vulnerability in the QR Menu Pro Smart Menu Systems Menu Panel that allows Session Hijacking. The affected component is the Menu Panel, with versions through 29012026 impacted. This issue is classified under CWE-384 and carries a CVSS v3.1 base score of 5.7 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N), indicating network accessibility, low complexity, low privileges required, user interaction needed, and high confidentiality impact.

Exploitation requires an attacker to have low privileges, such as an authenticated user, and involves tricking the target user into interacting with a maliciously crafted session (UI:R). Over the network (AV:N) with low complexity (AC:L), a successful attack enables session hijacking, granting the attacker high-level access to the victim's confidential session data without impacting integrity or availability.

The Turkish National Cyber Incident Response Center (USOM) published an advisory on this vulnerability at https://www.usom.gov.tr/bildirim/tr-26-0007. The vendor was contacted early regarding disclosure but did not respond, and no patches or specific mitigations are noted in available information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Session Fixation vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Session Hijacking. This issue affects Menu Panel: through 29012026.  NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
Why these techniques?

Session fixation directly enables web session hijacking and cookie-based authentication abuse in the affected web panel.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-7013Same product: Qrmenumpro Menu Panel
CVE-2026-31940Shared CWE-384
CVE-2026-24352Shared CWE-384
CVE-2025-69602Shared CWE-384
CVE-2026-30808Shared CWE-384
CVE-2025-27661Shared CWE-384
CVE-2025-7015Shared CWE-384
CVE-2026-40010Shared CWE-384
CVE-2022-40916Shared CWE-384
CVE-2026-25101Shared CWE-384

Affected Assets

qrmenumpro
menu panel
29012026

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires protection of session authenticity to prevent fixation and subsequent hijacking of user sessions in the Menu Panel.

prevent

Enforces automatic or explicit session termination/invalidation, limiting an attacker's ability to reuse a fixed session ID after authentication.

prevent

Requires re-authentication before performing sensitive actions, reducing the impact of a hijacked session obtained via fixation.

References