CVE-2025-22983

HighPublic PoC

Published: 14 January 2025

Published

14 January 2025

Modified

21 April 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0039 59.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-22983 is an access control vulnerability in iceCMS version 2.2.0, specifically within the /square/getAllSquare/circle component. Published on 2025-01-14, the issue stems from CWE-922 (Omission of Security-relevant Information) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility, low complexity, no privileges or user interaction required, and no impact on integrity or availability.

Unauthenticated attackers can exploit this vulnerability remotely over the network by accessing the affected endpoint, bypassing intended access controls to retrieve sensitive information from the system.

Details on mitigation and exploitation are documented in the referenced advisory at https://github.com/H3rmesk1t/vulnerability-paper/blob/main/iceCMS-2.2.0-Incorrect%20Access%20Control.md.

Details

CWE(s): CWE-922

Affected Products

thecosy

icecms

2.2.0

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The CVE describes an access control vulnerability in a public-facing web application (iceCMS) endpoint allowing unauthenticated access to sensitive information, directly enabling T1190: Exploit Public-Facing Application.

References

https://github.com/H3rmesk1t/vulnerability-paper/blob/main/iceCMS-2.2.0-Incorrect%20Access%20Control.md
Exploit, Third Party Advisory · cve@mitre.org