Skip to main content

ZwiiCMS CVE-2025-57130

HIGH
Improper Access Control (CWE-284)
2025-11-05 cve@mitre.org
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable with a low-privilege account (PR:L) and no interaction; overwriting admin profile yields full account takeover, so C/I/A all High and AC:L.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jul 05, 2026 - 02:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 05, 2026 - 02:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 05, 2026 - 02:22 vuln.today
cvss_changed
CVSS changed
Jul 05, 2026 - 02:22 NVD
8.3 (HIGH) 8.8 (HIGH)
Analysis Generated
Mar 28, 2026 - 19:20 vuln.today
CVE Published
Nov 05, 2025 - 16:15 nvd
HIGH 8.3

DescriptionNVD

An Incorrect Access Control vulnerability in the user management component of ZwiiCMS up to v13.6.07 allows a remote, authenticated attacker to escalate their privileges. By sending a specially crafted HTTP request, a low-privilege user can access and modify the profile data of any other user, including administrators.

AnalysisAI

Privilege escalation in ZwiiCMS content management system (versions up to and including v13.6.07) allows a low-privilege authenticated user to read and overwrite the profile data of any other account, including administrators, by manipulating a crafted HTTP request to the user management component. Because an attacker can rewrite an administrator's credentials, this effectively yields full administrative takeover of the CMS. EPSS is low (0.23%, 46th percentile) and there is no public exploit identified at time of analysis, so risk is elevated primarily by the low attack complexity rather than by evidence of in-the-wild use.

Technical ContextAI

ZwiiCMS is a lightweight, flat-file (database-free) PHP content management system aimed at building small websites. The flaw resides in its user management component and is classified as CWE-284 (Improper Access Control): the application authenticates the requester but fails to authorize the requested action against the target object, so an object/identifier supplied in the HTTP request is trusted without verifying that the caller owns or may edit that record. The single CPE in scope, cpe:2.3:a:zwiicms:zwiicms:*:*:*:*:*:*:*:*, indicates the vendor's own product line with no version boundary encoded, consistent with 'all versions up to 13.6.07' being affected. The tag 'Authentication Bypass' is imprecise here - authentication is not bypassed; rather, authorization checks are missing on an already-authenticated session (a horizontal/vertical access-control failure).

RemediationAI

No vendor-released patch version is identified in the available data, so upgrade to a fixed release cannot yet be cited by number - monitor http://zwiicms.com and the ZwiiCMS project for a release above v13.6.07 that references CVE-2025-57130, and apply it once published. As compensating controls in the interim: disable open/self-service user registration so untrusted parties cannot obtain the low-privilege account the attack requires (trade-off: blocks legitimate new sign-ups); restrict access to the site administration and user-management endpoints by IP allow-list or an authenticating reverse proxy so only trusted networks can reach them (trade-off: complicates remote admin); and audit existing accounts and rotate administrator credentials, since a successful exploit alters admin profile data. Review the Nivel4 advisory (https://blog.nivel4.com/noticias/cve-2025-57130-especialistas-de-nivel4-identifican-falla-de-alta-severidad-en-gestor-de-contenidos) for any vendor-coordinated fix details before deploying.

Share

CVE-2025-57130 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy