Cyber Posture

CVE-2025-2388

High

Published: 17 March 2025

Published
17 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0021 43.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-2388 is a critical improper authentication vulnerability (CWE-287) in Keytop 路内停车收费系统 version 2.7.1. The issue affects an unknown functionality within the API component, specifically the file /saas/commonApi/park/getParks. Published on 2025-03-17, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Remote attackers can exploit this vulnerability without user interaction or privileges, requiring only low complexity over the network. Manipulation of the affected endpoint bypasses authentication, potentially enabling limited impacts on confidentiality, integrity, and availability.

Advisories and additional details, including the publicly disclosed exploit, are available at VulDB entries (https://vuldb.com/?ctiid.299887, https://vuldb.com/?id.299887, https://vuldb.com/?submit.516710) and the GitHub wiki (https://github.com/K-mxredo/MXdocument/wiki). The exploit has been disclosed to the public and may be used.

Details

CWE(s)
CWE-287

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The CVE describes an improper authentication vulnerability (CWE-287) in a publicly accessible API endpoint (/saas/commonApi/park/getParks) that allows remote attackers to bypass authentication with no privileges or user interaction. This directly enables initial access by exploiting a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References