CVE-2025-9139
BaseFortify
Publication date: 2025-08-19
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| scada-lts | scada-lts | 2.7.8.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9139 is an information disclosure vulnerability in Scada-LTS version 2.7.8.1, specifically affecting the WatchListDwr.init.dwr endpoint. An authenticated user with minimal privileges can send a crafted POST request to this endpoint and retrieve sensitive personal information of all users in the system, including usernames, email addresses, phone numbers, and administrative status flags. This occurs due to insufficient access controls on this internal API endpoint. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to privacy violations by exposing personal contact information of users. It facilitates privilege escalation by revealing administrator usernames and roles, enabling attackers to perform targeted phishing or social engineering attacks. Additionally, it allows attackers to perform reconnaissance to map the user structure within the SCADA-LTS system, potentially aiding further exploitation. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for POST requests to the endpoint /Scada-LTS/dwr/call/plaincall/WatchListDwr.init.dwr from authenticated users. A crafted POST request to this endpoint may return sensitive user information. You can use network monitoring tools like tcpdump or Wireshark to capture such traffic. For example, a command to capture HTTP POST requests to this endpoint using tcpdump could be: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/Scada-LTS/dwr/call/plaincall/WatchListDwr.init.dwr'. Additionally, checking web server logs for POST requests to this path from authenticated users can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint /Scada-LTS/dwr/call/plaincall/WatchListDwr.init.dwr to only trusted and necessary users, enforcing strict authentication and authorization controls, and monitoring for suspicious access patterns. Since the vulnerability requires authentication but not elevated privileges, limiting user permissions and auditing user accounts can reduce risk. The vendor notes that the overall risk remains due to potential malicious admin actions, so consider replacing the affected component with an alternative product if possible. Applying any available patches or updates from the vendor is also recommended once released. [1, 2]