CVE-2025-29315
Published: 24 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-29315 is a critical vulnerability (CVSS score 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in the Shiro-based Role-based Access Control (RBAC) mechanism of the OpenDaylight Service Function Chaining (SFC) Subproject. It affects SFC Sodium-SR4 and earlier versions and is classified under CWE-284 (Improper Access Control). The issue allows attackers to execute privileged operations via a crafted request.
The vulnerability can be exploited remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation enables attackers to perform privileged operations, resulting in high impacts to confidentiality, integrity, and availability on affected OpenDaylight SFC deployments.
References to the vulnerability include blog posts at https://blog.csdn.net/weixin_43959580/article/details/144794289, which provide further details on the issue. Specific mitigation or patch information is not detailed in the CVE description.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a remote unauthenticated improper access control flaw in a public-facing application (OpenDaylight SFC) that allows execution of privileged operations, directly enabling T1190 (Exploit Public-Facing Application) for initial access and T1068 (Exploitation for Privilege Escalation) to perform high-privilege actions.