CVE-2025-8261
Published: 28 July 2025
Summary
CVE-2025-8261 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Vaelsys Vaelsys. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Create Account (T1136); ranked in the top 32.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-2 (Account Management).
Deeper analysis
CVE-2025-8261 is an improper authorization vulnerability in Vaelsys VaelsysV4 version 4.1.0, affecting unknown code within the file /grid/vgrid_server.php of the User Creation Handler component. It has been assigned a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is associated with CWEs 266 (Incorrect Privilege Assignment), 285 (Improper Authorization), and NVD-CWE-Other.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables manipulation leading to improper authorization, potentially resulting in low impacts to confidentiality, integrity, and availability.
Vaelsys has issued a security advisory stating that the reported behavior does not permit actions beyond those already allowed to authenticated administrative users, concluding that no changes to system configuration or operational practices are necessary. The vulnerability's real existence remains doubted, though a public exploit is available via a GitHub repository detailing unauthorized user creation in the Vaelsys V4 platform.
In notable context, recent VulDB entries confirm the issue's disclosure and public exploit availability, but the vendor's analysis disputes its severity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22856
Vulnerability details
A weakness has been identified in Vaelsys VaelsysV4 4.1.0. This vulnerability affects unknown code of the file /grid/vgrid_server.php of the component User Creation Handler. Executing a manipulation can lead to improper authorization. The attack may be performed from remote. The…
more
exploit has been made available to the public and could be used for attacks. The real existence of this vulnerability is still doubted at the moment. The vendor explains: "Based on Vaelsys' analysis, the reported behavior does not allow actions beyond those already permitted to authenticated administrative users, and no change in system configuration or operational practices is necessary."
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The improper authorization vulnerability in the User Creation Handler allows remote, unauthenticated attackers to create arbitrary user accounts, including administrative ones, via crafted POST requests to /grid/vgrid_server.php. This directly enables T1136/T1136.001 (Create Account/Local Account) for persistence and T1190 (Exploit Public-Facing Application) as the initial access vector.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization decisions on the User Creation Handler so that only permitted actions on /grid/vgrid_server.php can succeed.
Limits the privileges assigned to administrative accounts, reducing the impact of any incorrect privilege assignment during user creation.
Governs the account creation workflow and associated authorization checks, directly addressing the reported manipulation path.