CVE-2025-25709
Published: 12 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-25709, published on 2025-03-12, is a privilege escalation vulnerability in dtp.ae tNexus Airport View version 2.8. The issue resides in the addUser and updateUser endpoints, where a remote attacker can exploit flawed access controls to elevate their privileges. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to network accessibility, low attack complexity, and significant confidentiality impact without affecting integrity or availability.
A remote attacker requires no prior privileges, authentication, or user interaction to exploit the vulnerability over the network. By targeting the addUser or updateUser endpoints, the attacker can escalate to higher privilege levels, potentially gaining unauthorized access to sensitive data and achieving high confidentiality impact as reflected in the CVSS metrics.
Mitigation details and further technical analysis are available in the referenced vulnerability research repository at https://github.com/z5jt/vulnerability-research/tree/main/CVE-2025-25709.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes an unauthenticated remote privilege escalation vulnerability in a public-facing web application due to flawed access controls on addUser/updateUser endpoints, directly enabling T1190 for initial access via public app exploitation and T1068 for privilege escalation.