CVE-2025-25381
Published: 06 March 2025
Description
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Security Summary
CVE-2025-25381 is an incorrect access control vulnerability (CWE-284) in the KSRTC AWATAR app version 1.3.0 of the Karnataka State Road Transport Corporation. The flaw enables unauthorized viewing of sensitive information, such as usernames and passwords. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility and low attack complexity.
The vulnerability can be exploited by any unauthenticated attacker with network access to the affected app, requiring no privileges or user interaction. Exploitation allows remote retrieval of sensitive credentials, potentially enabling further compromise of associated accounts or systems, though it does not impact integrity or availability.
Advisories providing further details, including potential mitigations or patches, are available at references such as https://github.com/advisories/GHSA-x2cr-cpw2-j9x5, https://github.com/edwin-0990/CVE_ID/blob/main/CVE-2025-25381/README.md, and https://www.tenable.com/cve/CVE-2025-25381. Security practitioners should review these sources for specific remediation guidance.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an improper access control flaw in a network-accessible application allowing remote unauthenticated retrieval of credentials, directly enabling exploitation of public-facing applications (T1190) and access to unsecured credentials (T1552).