CVE-2025-25749
Published: 11 March 2025
Description
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
Security Summary
CVE-2025-25749 affects HotelDruid version 3.0.7 and earlier, where users can set weak passwords due to the absence of password strength policy enforcement. Published on 2025-03-11, this vulnerability falls under CWE-521 (Weak Password Requirements) and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L), indicating a high-severity issue stemming from inadequate controls on password complexity during account creation or modification.
An attacker with low privileges (PR:L), such as an authenticated user, can exploit this over the network (AV:N) with high attack complexity (AC:H) and no user interaction required (UI:N). By setting weak passwords on their own or accessible accounts, the attacker enables subsequent brute-force or guessing attacks, potentially achieving high impacts on confidentiality and integrity (C:H/I:H) such as unauthorized data access or modification, alongside low availability impact (A:L).
Mitigation guidance is available in the referenced advisory at https://www.huyvo.net/post/cve-2025-25749-weak-password-policy-in-hoteldruid-3-0-7.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability's lack of password strength enforcement (CWE-521) directly allows weak passwords on accounts, explicitly enabling subsequent brute-force and guessing attacks as described in the CVE.