CVE-2025-25264

CWE-9423 documents3 sources
Severity
6.5MEDIUM
EPSS
0.1%
top 67.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
12
Wago Cc100 0751-9x01Wago Edge Controller 0752-8303/8000-0002Wago Pfc100 G1 0750-810x/xxxx-xxxx+9 more
Timeline
PublishedJun 16

Description

An unauthenticated remote attacker can trick an admin to visit a website containing malicious java script code. The current overly permissive CORS policy allows the attacker to obtain any files from the file system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages12 packages

CVEListV5wago/cc100_0751-9x010.0.004.07.01 (FW29)+1
CVEListV5wago/tp600_0762-420x/8000-000x0.0.004.07.01 (FW29)+1
CVEListV5wago/tp600_0762-430x/8000-000x0.0.004.07.01 (FW29)+1
CVEListV5wago/tp600_0762-520x/8000-000x0.0.004.07.01 (FW29)+1
CVEListV5wago/tp600_0762-530x/8000-000x0.0.004.07.01 (FW29)+1

🔴Vulnerability Details

2
CVEList
Overly Permissive CORS Policy in WAGO Device Manager2025-06-16
GHSA
GHSA-rqg6-587c-h9v3: An unauthenticated remote attacker can take advantage of the current overly permissive CORS policy to gain access and read the responses, potentially2025-06-16
CVE-2025-25264 (MEDIUM CVSS 6.5) | An unauthenticated remote attacker | cvebase.io