CVE-2025-2322

HighPublic PoC

Published: 15 March 2025

Published

15 March 2025

Modified

24 October 2025

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0009 25.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

Security Summary

CVE-2025-2322 is a critical vulnerability involving hard-coded credentials in the springboot-openai-chatgpt application at commit e84f6f5 from repository owner 274056675. It affects an unknown part of the file /chatgpt-boot/src/main/java/org/springblade/modules/mjkj/controller/OpenController.java. Classified under CWE-259 and CWE-798, the issue has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). The product lacks versioning, so details on affected and unaffected releases are unavailable.

The vulnerability enables remote exploitation without authentication or user interaction. Attackers can manipulate the affected component to access hard-coded credentials, potentially leading to low-level impacts on confidentiality, integrity, and availability.

Advisories from VulDB (ctiid.299751, id.299751, submit.505694) and a related cnblogs post document the issue, noting that the exploit has been publicly disclosed and may be actively used. The vendor was contacted early but provided no response, and no patches or mitigations are specified.

In notable context, this flaw relates to a Spring Boot integration with OpenAI's ChatGPT, carrying AI/ML relevance due to its handling of chat functionalities, with the public exploit availability increasing real-world risk.

Details

CWE(s): CWE-259CWE-798

Affected Products

274056675

springboot-openai-chatgpt

2024-12-29

AI Security Analysis

AI Category: Enterprise AI Assistants
Risk Domain: Supply Chain and Deployment
OWASP Top 10 for LLMs 2025: None mapped
MITRE ATLAS Techniques: None mapped
Classification Reason: The vulnerability affects 'springboot-openai-chatgpt', a Spring Boot application integrating OpenAI ChatGPT functionality with a controller (OpenController.java) for chat features, fitting enterprise AI assistants that deploy AI chat interfaces.

MITRE ATT&CK Enterprise Techniques

T1078 Valid Accounts Stealth

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1078.003 Local Accounts Stealth

Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Hard-coded administrator credentials in the web application controller enable authentication with valid default or local accounts (T1078, T1078.001, T1078.003) and provide unsecured credentials stored in files (T1552.001).

References

https://vuldb.com/?ctiid.299751
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.299751
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.505694
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.cnblogs.com/aibot/p/18732299
Exploit, Third Party Advisory · cna@vuldb.com