Cyber Resilience

CVE-2025-8792

LowPublic PoC

Published: 10 August 2025

Published
10 August 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0023 46.2th percentile
Risk Priority 4 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8792 is a low-severity Client-Side Enforcement of Server-Side Security (CWE-602) vulnerability in Litmuschaos Litmus. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Masquerade Account Name (T1036.010); ranked at the 46.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

A vulnerability classified as problematic has been found in LitmusChaos Litmus up to 3.19.0. Affected is an unknown function. The manipulation leads to client-side enforcement of server-side security. It is possible to launch the attack remotely. The exploit has been…

more

disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1036.010 Masquerade Account Name Stealth
Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign.
Why these techniques?

The vulnerability enables bypassing client-side validation of special characters (e.g., !@#$%¨&*) in user profile display names, facilitating T1036.010 Masquerade Account Name by allowing adversaries to craft deceptive display names.

Affected Assets

litmuschaos
litmus
≤ 3.19.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References