CVE-2025-25585
Published: 18 March 2025
Description
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Security Summary
CVE-2025-25585, published on 2025-03-18, is an incorrect access control vulnerability (CWE-284) in the /config/WebSecurityConfig.java component of yimioa versions prior to v2024.07.04. This flaw enables unauthorized attackers to arbitrarily modify Administrator passwords, with a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L), indicating high confidentiality and integrity impacts alongside low availability impact.
A local attacker with no required privileges can exploit this vulnerability through low-complexity means, but it requires user interaction. Successful exploitation allows the attacker to change Administrator passwords arbitrarily, potentially enabling unauthorized administrative access and control over the affected yimioa instance.
The vulnerability is documented in the issue tracker at https://gitee.com/r1bbit/yimioa/issues/IBI7PG. Mitigation requires updating to yimioa v2024.07.04 or later, which resolves the access control issue in WebSecurityConfig.java.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The incorrect access control flaw directly enables unauthorized modification of administrator passwords, facilitating T1098 Account Manipulation and T1068 Exploitation for Privilege Escalation to gain admin access.