CVE-2025-65925
Unknown Unknown - Not Provided
Unverified Account Creation Vulnerability in Zeroheight Legacy API

Publication date: 2025-12-30

Last updated on: 2025-12-30

Assigner: MITRE

Description
An issue was discovered in Zeroheight (SaaS) prior to 2025-06-13. A legacy user creation API pathway allowed accounts to be created without completing the intended email verification step. While unverified accounts could not access product functionality, the behavior bypassed intended verification controls and allowed unintended account creation. This could have enabled spam/fake account creation or resource usage impact. No data exposure or unauthorized access to existing accounts was reported.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-30
Last Modified
2025-12-30
Generated
2026-06-16
AI Q&A
2025-12-30
EPSS Evaluated
2026-06-14
NVD
CVE-2025-65925
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zeroheight zeroheight *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Zeroheight (SaaS) prior to 2025-06-13 involves a legacy user creation API that allowed accounts to be created without completing the intended email verification step. Although these unverified accounts could not access product functionality, the verification controls were bypassed, enabling unintended account creation.

Impact Analysis

The vulnerability could enable spam or fake account creation and potentially impact resource usage. However, no data exposure or unauthorized access to existing accounts was reported.

Compliance Impact

The vulnerability allowed account creation without email verification, potentially enabling spam or fake accounts and resource exhaustion. However, there was no reported data exposure or unauthorized access to existing accounts. Therefore, while it bypassed intended verification controls, it did not directly compromise personal data or sensitive information. As such, the impact on compliance with standards like GDPR or HIPAA is limited, since no data breach or unauthorized data access occurred. Nonetheless, the presence of fake accounts could indirectly affect compliance by complicating user management and monitoring processes. [1]

Detection Guidance

This vulnerability can be detected by monitoring for account creation requests to the legacy user creation API endpoint that do not require or include email verification tokens. Network traffic analysis tools can be used to inspect HTTPS requests to the affected API paths for signs of account creation without verification. Specific commands depend on your environment, but for example, using curl to test the legacy API endpoint for account creation without a verification token can help detect the issue. Additionally, reviewing server logs for account creation events lacking verification steps can assist in detection. [1]

Mitigation Strategies

Immediate mitigation steps include ensuring that your Zeroheight SaaS instance is updated to the fixed version deployed on or after June 13, 2025, which enforces the requirement of a valid email verification token for all account creation flows. If updating immediately is not possible, restrict or disable access to the legacy user creation API pathway to prevent unverified account creation. Monitor for unusual account creation activity that may indicate exploitation attempts. No further user action is required once the fix is applied. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65925. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart