CVE-2025-22390
Published: 04 January 2025
Description
An issue was discovered in Optimizely EPiServer.CMS.Core before 12.32.0. A medium-severity vulnerability exists in the CMS due to insufficient enforcement of password complexity requirements. The application permits users to set passwords with a minimum length of 6 characters, lacking adequate complexity to resist modern attack techniques such as password spraying or offline password cracking.
Security Summary
CVE-2025-22390 affects Optimizely EPiServer.CMS.Core versions prior to 12.32.0, where insufficient enforcement of password complexity requirements allows users to set passwords with a minimum length of only 6 characters. This weakness fails to provide adequate resistance against modern attack techniques, such as password spraying or offline password cracking. The vulnerability is mapped to CWE-521 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. By leveraging the weak password policy, attackers can perform password spraying campaigns or crack stolen password hashes offline, potentially gaining unauthorized access to CMS user accounts and exposing sensitive data.
Optimizely has issued security advisory CMS-2025-02, available at https://support.optimizely.com/hc/en-us/articles/33182255281293-Content-Management-System-CMS-Security-Advisory-CMS-2025-02, which details mitigation steps. Practitioners should upgrade to EPiServer.CMS.Core 12.32.0 or later to address the issue.
Details
- CWE(s)