CVE-2025-24865

The administrative web interface of mySCADA myPRO Manager can be accessed without authentication which could allow an unauthorized attacker to retrieve sensitive information and upload files without the associated password.

CVSS v3 10.0 CRITICAL

10.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-16	US Government Resource Third Party Advisory
https://www.myscada.org/contacts/	Product
https://www.myscada.org/downloads/mySCADAPROManager/	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:myscada:mypro:*:*:*:*:*:*:*:*

History

04 Mar 2025, 20:59

Type	Values Removed	Values Added
Summary		(es) Se puede acceder a la interfaz web administrativa de mySCADA myPRO Manager sin autenticación, lo que podría permitir que un atacante no autorizado recupere información confidencial y cargue archivos sin la contraseña asociada.
References	~~() https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-16 -~~	() https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-16 - US Government Resource, Third Party Advisory
References	~~() https://www.myscada.org/contacts/ -~~	() https://www.myscada.org/contacts/ - Product
References	~~() https://www.myscada.org/downloads/mySCADAPROManager/ -~~	() https://www.myscada.org/downloads/mySCADAPROManager/ - Product
First Time		Myscada mypro Myscada
CPE		cpe:2.3:a:myscada:mypro::::::::

13 Feb 2025, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-13 22:15

Updated : 2025-03-04 20:59

NVD link : CVE-2025-24865

Mitre link : CVE-2025-24865

CVE.ORG link : CVE-2025-24865

JSON object : View

Products Affected

myscada

mypro

CWE

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2025-24865", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 10.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-02-13T22:15:12.613", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-16", "tags": ["US Government Resource", "Third Party Advisory"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.myscada.org/contacts/", "tags": ["Product"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.myscada.org/downloads/mySCADAPROManager/", "tags": ["Product"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "The administrative web interface of \nmySCADA myPRO Manager\n\ncan be accessed without authentication \nwhich could allow an unauthorized attacker to retrieve sensitive \ninformation and upload files without the associated password."}, {"lang": "es", "value": "Se puede acceder a la interfaz web administrativa de mySCADA myPRO Manager sin autenticaci\u00f3n, lo que podr\u00eda permitir que un atacante no autorizado recupere informaci\u00f3n confidencial y cargue archivos sin la contrase\u00f1a asociada."}], "lastModified": "2025-03-04T20:59:05.417", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:myscada:mypro:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ED7FC18F-6415-4B32-9420-E5D9663BFF49", "versionEndExcluding": "1.4"}], "operator": "OR"}]}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}