CVE-2025-24865
Published: 13 February 2025
Description
Adversaries may transfer tools or other files from an external system into a compromised environment.
Security Summary
CVE-2025-24865 is a critical authentication bypass vulnerability in the administrative web interface of mySCADA myPRO Manager. Published on 2025-02-13, it stems from CWE-306 (Missing Authentication for Critical Function), allowing the interface to be accessed without any credentials. This enables unauthorized retrieval of sensitive information and file uploads without the associated password, earning a perfect CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
The vulnerability can be exploited by any unauthenticated attacker with network access to the affected interface. No user privileges, interaction, or complex conditions are required, making it highly accessible remotely with low attack complexity. Successful exploitation grants attackers the ability to extract sensitive data and upload arbitrary files, resulting in high impacts to confidentiality, integrity, and availability, compounded by a change in scope.
Mitigation guidance is detailed in CISA ICS Advisory ICSA-25-044-16 at https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-16. Vendor resources include the mySCADA contacts page at https://www.myscada.org/contacts/ and downloads page at https://www.myscada.org/downloads/mySCADAPROManager/, which may provide patches or additional remediation steps.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Authentication bypass on public-facing admin web interface directly enables T1190 exploitation; facilitates T1005 via unauthorized sensitive data retrieval and T1105 via arbitrary file uploads without credentials.