CVE-2025-14117
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-06

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in fit2cloud Halo 2.21.10. Impacted is an unknown function. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-06
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-06
EPSS Evaluated
2026-06-14
NVD
CVE-2025-14117
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fit2cloud halo 2.21.10
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in fit2cloud Halo 2.21.10 allows an attacker to perform a cross-site request forgery (CSRF). This means an attacker can trick a user into executing unwanted actions on a web application in which they are authenticated, potentially causing unauthorized operations without the user's consent. The vulnerability can be exploited remotely.

Impact Analysis

The impact of this vulnerability is limited to integrity, as it allows unauthorized manipulation of certain functions via CSRF attacks. While it does not affect confidentiality or availability, it can lead to unauthorized actions being performed on your behalf, potentially compromising the integrity of your data or operations within the affected application.

Detection Guidance

Detection of this CSRF vulnerability involves monitoring for unauthorized or forged requests targeting the fit2cloud Halo 2.21.10 blog framework interface. Since the vulnerability allows remote attackers to perform unauthorized state-changing requests without authentication, network monitoring tools can be used to identify suspicious POST or state-changing HTTP requests that do not originate from legitimate user actions. Additionally, reviewing web server logs for unusual or unexpected requests to the blog framework interface may help detect exploitation attempts. Specific commands are not provided in the resources, but using tools like curl or browser developer tools to simulate or inspect requests could assist in detection. [1, 2]

Mitigation Strategies

Immediate mitigation steps include considering replacing the affected fit2cloud Halo 2.21.10 product with an alternative, as no official fixes or countermeasures have been provided by the vendor. Additionally, applying general CSRF protections such as implementing anti-CSRF tokens, enforcing same-site cookies, or restricting state-changing requests to verified users can help reduce risk. Monitoring for exploit attempts and limiting exposure of the vulnerable interface to untrusted networks may also be advisable. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14117. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart