CVE-2025-5894

| EUVD-2025-17442 HIGH
Missing Authorization (CWE-862)
2025-06-09 [email protected]
Information Disclosure
8.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17442
CVE Published
Jun 09, 2025 - 08:15 nvd
HIGH 8.8

DescriptionNVD

Smart Parking Management System from Honding Technology has a Missing Authorization vulnerability, allowing remote attackers with regular privileges to access a specific functionality to create administrator accounts, and subsequently log into the system using those accounts.

AnalysisAI

Critical Missing Authorization (CWE-862) vulnerability in Honding Technology's Smart Parking Management System that allows authenticated users with regular privileges to bypass authorization controls and create administrator accounts without proper authorization checks. Attackers can leverage this flaw to escalate privileges, create backdoor admin accounts, and gain full system control (confidentiality, integrity, and availability impact). The CVSS 8.8 score reflects the high severity, though real-world exploitability depends on whether this vulnerability is actively exploited in the wild and whether public proof-of-concept code exists.

Technical ContextAI

This vulnerability stems from a Missing Authorization flaw (CWE-862) in the Smart Parking Management System's administrative account creation functionality. The root cause is the absence of proper privilege-level validation—the system fails to verify that only users with administrator or system-level privileges can invoke account creation endpoints. The affected product is the Smart Parking Management System from Honding Technology; without specific version information in the CVE record, the vulnerability likely affects multiple versions. The attack surface is network-accessible (AV:N), suggesting the vulnerable functionality is exposed via HTTP/HTTPS APIs or web interfaces commonly found in IoT and Smart City management platforms. The vulnerability is exploitable with low complexity (AC:L), meaning no special conditions or timing are required—any authenticated user can trigger the flaw reliably.

RemediationAI

Immediate Mitigation: Restrict network access to administrative account creation endpoints using WAF rules or network segmentation; limit access to trusted administrative networks only Access Control Implementation: Implement strict role-based access control (RBAC) checks before processing account creation requests; verify user roles/permissions at the API gateway and application level Patch Deployment: Contact Honding Technology for vendor advisory and security patch; no patch version information is currently available in the CVE record—request from vendor immediately Compensating Control: Enable comprehensive audit logging for all account creation attempts; monitor logs for unauthorized admin account creation and alert on anomalies Account Review: Audit existing administrator accounts to identify and remove any unauthorized or suspicious accounts created via this vulnerability Credential Rotation: Rotate all administrator credentials and force re-authentication after patches are applied

Share

CVE-2025-5894 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy