CVE-2025-57130
Published: 05 November 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-57130, published on 2025-11-05, is an Incorrect Access Control vulnerability (CWE-284) in the user management component of ZwiiCMS up to version 13.6.07. It allows a remote, authenticated attacker to escalate privileges by sending a specially crafted HTTP request, enabling a low-privilege user to access and modify the profile data of any other user, including administrators. The issue carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L), indicating high severity due to network accessibility, low complexity, and significant impacts on confidentiality and integrity.
The attack requires an authenticated low-privilege account with network access to the vulnerable ZwiiCMS instance. An attacker can exploit it without user interaction by crafting and sending an HTTP request to the user management endpoint, gaining unauthorized read and write access to other users' profiles. This enables privilege escalation, such as modifying administrative credentials or roles, potentially leading to full system compromise.
Advisories and mitigation details are available in the provided references, including the official ZwiiCMS site at http://zwiicms.com and a Nivel4 blog post at https://blog.nivel4.com/noticias/cve-2025-57130-especialistas-de-nivel4-identifican-falla-de-alta-severidad-en-gestor-de-contenidos, which discusses the high-severity flaw in the content management system.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an incorrect access control flaw in a public-facing CMS user management component, enabling remote authenticated low-privilege attackers to escalate privileges via crafted HTTP requests (T1068: Exploitation for Privilege Escalation) by exploiting the web application (T1190: Exploit Public-Facing Application).