CVE-2025-1847
Published: 03 March 2025
Description
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Security Summary
CVE-2025-1847 is a critical improper authorization vulnerability (CWE-266, CWE-285) discovered in zj1983 zz up to version 2024-8. The issue affects some unknown processing within the software, enabling manipulation that bypasses authorization controls. Published on 2025-03-03, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability allows remote exploitation by an attacker possessing low privileges, such as an authenticated user, with low attack complexity and no requirement for user interaction. Successful exploitation can result in low impacts to confidentiality, integrity, and availability, potentially allowing limited unauthorized actions within the affected processing.
Advisories note that the exploit has been publicly disclosed and may be actively used. The vendor was contacted early regarding the issue but provided no response, and no patches or specific mitigations are detailed in available references, which include VulDB entries and GitHub documentation.
Notable context includes the public availability of the exploit, increasing the risk of real-world abuse, with no reported patches from the unresponsive vendor.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The improper authorization vulnerability (CWE-285) enables vertical privilege escalation (T1068) from ordinary users to administrator privileges and facilitates account manipulation (T1098) by allowing modification, deletion, or addition of administrator information remotely.