Cyber Resilience

CVE-2025-8261

MediumPublic PoC

Published: 28 July 2025

Published
28 July 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0053 67.7th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8261 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Vaelsys Vaelsys. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Create Account (T1136); ranked in the top 32.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-2 (Account Management).

Deeper analysis

CVE-2025-8261 is an improper authorization vulnerability in Vaelsys VaelsysV4 version 4.1.0, affecting unknown code within the file /grid/vgrid_server.php of the User Creation Handler component. It has been assigned a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is associated with CWEs 266 (Incorrect Privilege Assignment), 285 (Improper Authorization), and NVD-CWE-Other.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables manipulation leading to improper authorization, potentially resulting in low impacts to confidentiality, integrity, and availability.

Vaelsys has issued a security advisory stating that the reported behavior does not permit actions beyond those already allowed to authenticated administrative users, concluding that no changes to system configuration or operational practices are necessary. The vulnerability's real existence remains doubted, though a public exploit is available via a GitHub repository detailing unauthorized user creation in the Vaelsys V4 platform.

In notable context, recent VulDB entries confirm the issue's disclosure and public exploit availability, but the vendor's analysis disputes its severity.

EU & UK References

Vulnerability details

A weakness has been identified in Vaelsys VaelsysV4 4.1.0. This vulnerability affects unknown code of the file /grid/vgrid_server.php of the component User Creation Handler. Executing a manipulation can lead to improper authorization. The attack may be performed from remote. The…

more

exploit has been made available to the public and could be used for attacks. The real existence of this vulnerability is still doubted at the moment. The vendor explains: "Based on Vaelsys' analysis, the reported behavior does not allow actions beyond those already permitted to authenticated administrative users, and no change in system configuration or operational practices is necessary."

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1136 Create Account Persistence
Adversaries may create an account to maintain access to victim systems.
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The improper authorization vulnerability in the User Creation Handler allows remote, unauthenticated attackers to create arbitrary user accounts, including administrative ones, via crafted POST requests to /grid/vgrid_server.php. This directly enables T1136/T1136.001 (Create Account/Local Account) for persistence and T1190 (Exploit Public-Facing Application) as the initial access vector.

CVEs Like This One

CVE-2026-2952Same product: Vaelsys Vaelsys
CVE-2025-8259Same product: Vaelsys Vaelsys
CVE-2026-4990Shared CWE-266, CWE-285
CVE-2025-1226Shared CWE-266, CWE-285
CVE-2026-1597Shared CWE-266, CWE-285
CVE-2025-8756Shared CWE-266, CWE-285
CVE-2026-2105Shared CWE-266, CWE-285
CVE-2025-1815Shared CWE-266, CWE-285
CVE-2025-0484Shared CWE-266, CWE-285
CVE-2026-3724Shared CWE-266, CWE-285

Affected Assets

vaelsys
vaelsys
4.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization decisions on the User Creation Handler so that only permitted actions on /grid/vgrid_server.php can succeed.

prevent

Limits the privileges assigned to administrative accounts, reducing the impact of any incorrect privilege assignment during user creation.

prevent

Governs the account creation workflow and associated authorization checks, directly addressing the reported manipulation path.

References