CVE-2025-1214
Published: 12 February 2025
Description
Adversaries may create an account to maintain access to victim systems.
Security Summary
CVE-2025-1214 is a critical vulnerability in pihome-shc PiHome 2.0, affecting an unknown part of the file /user_accounts.php?uid within the Role-Based Access Control component. The issue stems from missing authorization, mapped to CWE-862 (Missing Authorization) and CWE-863 (Incorrect Authorization). It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-02-12.
The vulnerability enables remote exploitation by an attacker possessing low privileges, such as a low-privileged authenticated user. With low attack complexity and no requirement for user interaction, successful exploitation results in limited impacts: low confidentiality (C:L), integrity (I:L), and availability (A:L) effects.
Reference URLs point to VulDB advisories (vuldb.com/?ctiid.295173, vuldb.com/?id.295173, vuldb.com/?submit.497533) and GitHub repositories hosting published proof-of-concept exploits (github.com/janssensjelle/published-pocs/blob/main/pihomehvac-improper-access-control.md). These indicate public disclosure of the exploit, which may be used, though no specific patch or mitigation details are outlined in the provided information.
The exploit has been disclosed to the public, increasing the risk of active use against unpatched PiHome 2.0 instances.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Missing authorization (CWE-862) in /user_accounts.php allows authenticated users to create admin accounts without privilege checks, enabling exploitation for privilege escalation (T1068) and unauthorized account creation (T1136).