CVE-2025-23974

| EUVD-2025-17478 HIGH
2025-06-09 [email protected]
8.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17478
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
CVE Published
Jun 09, 2025 - 16:15 nvd
HIGH 8.1

Tags

Privilege Escalation

Description

Incorrect Privilege Assignment vulnerability in ifkooo One-Login allows Privilege Escalation. This issue affects One-Login: from n/a through 1.4.

Analysis

CVE-2025-23974 is an Incorrect Privilege Assignment vulnerability in ifkooo One-Login that enables unauthenticated remote privilege escalation. Versions 1.4 and earlier are affected, allowing attackers to gain high-impact unauthorized access to sensitive functions without user interaction. The CVSS 8.1 score reflects significant risk, though the high attack complexity (AC:H) suggests exploitation requires specific conditions; KEV/POC status and active exploitation data are not available in provided intelligence.

Technical Context

The vulnerability stems from CWE-266 (Incorrect Privilege Assignment), a class of flaws where the application fails to properly assign or validate user privilege levels during authentication or authorization checks. In ifkooo One-Login, this likely manifests as improper role-based access control (RBAC) or capability-based security enforcement in the Single Sign-On (SSO) mechanism. The flaw allows an unauthenticated attacker (PR:N) to bypass privilege assignment logic and obtain administrative or elevated privileges over the authentication/authorization service. The vulnerability is not confined to a specific version range notation ('n/a through 1.4'), suggesting it affects all known releases up to and including version 1.4. CPE data specific to ifkooo One-Login product identifiers would typically be structured as 'cpe:2.3:a:ifkooo:one-login:*:*:*:*:*:*:*:*' with version constraints <=1.4.

Affected Products

One-Login (1.4 and earlier (all versions from initial release through 1.4))

Remediation

Upgrade ifkooo One-Login to version 1.5 or later (exact patched version not specified in provided data; verify with ifkooo security advisory for confirmed fix version).; priority: High; notes: Contact ifkooo support or monitor their security advisories for release of patched version. Version 1.5 or higher should address the CWE-266 privilege assignment logic. Workaround: Implement network-level access controls: restrict network access to One-Login services to trusted administrative networks only. Disable external/untrusted user access to One-Login endpoints until patch is applied.; priority: Medium; applicability: Temporary mitigation; not a substitute for patching. Mitigation: Monitor authentication logs and privilege assignment events for anomalies indicating unauthorized privilege escalation. Implement additional MFA/step-up authentication for sensitive SSO operations.; priority: Medium; applicability: Reduces attack surface while patch is pending. Advisory Reference: Review official ifkooo security advisories and vendor patches. No direct links available in provided intelligence; consult ifkooo's security portal or contact vendor directly.; priority: Critical for validation

Priority Score

41
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +40
POC: 0

Share

CVE-2025-23974 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy