CVE-2025-13768

High

Published: 28 November 2025

Published

28 November 2025

Modified

01 December 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0016 36.3th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

WebITR developed by Uniong has an Authentication Bypass vulnerability, allowing authenticated remote attackers to log into the system as any user by modifying a specific parameter. Attackers must first obtain a user ID to exploit this vulnerability.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access, directly preventing authentication bypass via modification of user-controlled parameters like user ID.

SI-10 Information Input Validation good match

prevent

Requires validation of information inputs, mitigating exploitation by validating and rejecting tampered parameters used for impersonation.

AC-6 Least Privilege partial match

prevent

Limits damage from successful impersonation by enforcing least privilege, restricting unauthorized actions even if a low-privilege user is impersonated.

Security SummaryAI

CVE-2025-13768 is an authentication bypass vulnerability in WebITR, a software product developed by Uniong. The flaw, classified under CWE-639 (Authorization Bypass Through User-Controlled Key), enables authenticated remote attackers to log into the system as any user by modifying a specific parameter. Attackers must first obtain a valid user ID to exploit this issue. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high potential impact on confidentiality, integrity, and availability.

The attack requires low-privilege authenticated access over the network, with high attack complexity due to the need to first acquire a target user ID. Once exploited, attackers can impersonate any user, potentially escalating privileges and performing unauthorized actions within the WebITR system, such as accessing sensitive data or modifying configurations.

TWCERT advisories detail the vulnerability and provide guidance on mitigation; refer to https://www.twcert.org.tw/en/cp-139-10539-21f45-2.html and https://www.twcert.org.tw/tw/cp-132-10538-6a26d-1.html for patches or workarounds. The CVE was published on 2025-11-28.

Details

CWE(s): CWE-639

Affected Products

uniong

webitr

≤ 2_1_0_34

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The vulnerability is an authentication bypass that allows low-privileged attackers to impersonate any user after obtaining a user ID, directly enabling exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.twcert.org.tw/en/cp-139-10539-21f45-2.html
Third Party Advisory · twcert@cert.org.tw
https://www.twcert.org.tw/tw/cp-132-10538-6a26d-1.html
Third Party Advisory · twcert@cert.org.tw