CVE-2025-8857

Critical

Published: 29 August 2025

Published

29 August 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 35.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8857 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Org (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked at the 35.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SA-8 (Security and Privacy Engineering Principles).

Threat & Defense at a Glance

What attackers do: exploitation maps to Valid Accounts (T1078) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

IA-5 mandates proper management and protection of authenticators, directly preventing the embedding of hard-coded credentials in source code.

SA-8 Security and Privacy Engineering Principles good match

prevent

SA-8 requires application of security engineering principles during system development to eliminate insecure practices like hard-coded administrator credentials.

SI-2 Flaw Remediation good match

detectrespondrecover

SI-2 ensures timely identification, reporting, and correction of software flaws such as hard-coded credentials through monitoring and patching.

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Hard-coded admin credentials directly enable use of valid accounts (T1078) for remote unauthenticated access to a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Clinic Image System developed by Changing contains hard-coded Credentials, allowing unauthenticated remote attackers to log into the system using administrator credentials embedded in the source code.

Deeper analysisAI

CVE-2025-8857 is a critical vulnerability in the Clinic Image System developed by Changing, where hard-coded administrator credentials are embedded in the source code. This issue, classified as CWE-798 (Use of Hard-coded Credentials), enables unauthenticated remote attackers to gain access by extracting and using those credentials. The vulnerability received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-08-29.

Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no privileges required. By reviewing the publicly accessible source code, they can obtain the hard-coded credentials and log in as administrators, achieving high impacts on confidentiality, integrity, and availability, which could lead to full system compromise.

Advisories detailing mitigation are available from CHT Security (https://www.chtsecurity.com/news/276d7867-dfb1-4a91-bc34-97b0f6a117a3) and TWCERT/CC (https://www.twcert.org.tw/en/cp-139-10363-601c9-2.html, https://www.twcert.org.tw/tw/cp-132-10362-c6021-1.html).