Cyber Posture

CVE-2025-27138

CriticalPublic PoC

Published: 13 March 2025

Published
13 March 2025
Modified
21 March 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0060 69.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-27138 is an authentication flaw in DataEase, an open-source business intelligence and data visualization tool. Prior to version 2.10.6, the io.dataease.auth.filter.TokenFilter class contains a vulnerability that enables unauthorized access. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-287 (Improper Authentication) and CWE-863 (Incorrect Authorization).

Remote attackers require no privileges, authentication, or user interaction to exploit this over the network with low complexity. Successful exploitation allows unauthorized access to the application, resulting in high confidentiality, integrity, and availability impacts.

The issue is fixed in DataEase version 2.10.6, with no known workarounds available. Additional details are provided in the GitHub security advisory at https://github.com/dataease/dataease/security/advisories/GHSA-533g-whf8-q637.

Details

CWE(s)
CWE-287CWE-863

Affected Products

dataease
dataease
≤ 2.10.6

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Authentication bypass vulnerability in public-facing web application (DataEase) with no credentials required enables direct exploitation for initial access via T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References