CVE-2025-25967
Published: 03 March 2025
Description
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
Security Summary
Acora CMS version 10.1.1 is affected by CVE-2025-25967, a Cross-Site Request Forgery (CSRF) vulnerability classified under CWE-352. Published on 2025-03-03, the flaw arises from the absence of CSRF protections, allowing crafted requests to be processed without proper validation. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
Attackers can exploit this vulnerability without requiring authentication privileges (PR:N) by embedding malicious requests in external content, such as webpages or emails, to trick logged-in users into executing unintended actions. Successful exploitation enables unauthorized operations like account deletion or user creation, leveraging network accessibility (AV:N), low attack complexity (AC:L), and user interaction (UI:R) to achieve high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) within the unchanged scope (S:U).
Mitigation guidance and additional details are available in the referenced advisory at https://github.com/padayali-JD/CVE-2025-25967.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF in public-facing Acora CMS (T1190) enables unauthorized exploitation to create local user accounts (T1136.001) or perform account deletions/removals (T1531) using a victim's authenticated session.