CVE-2025-65925
Unverified Account Creation Vulnerability in Zeroheight Legacy API
Publication date: 2025-12-30
Last updated on: 2025-12-30
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zeroheight | zeroheight | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Zeroheight (SaaS) prior to 2025-06-13 involves a legacy user creation API that allowed accounts to be created without completing the intended email verification step. Although these unverified accounts could not access product functionality, the verification controls were bypassed, enabling unintended account creation.
How can this vulnerability impact me? :
The vulnerability could enable spam or fake account creation and potentially impact resource usage. However, no data exposure or unauthorized access to existing accounts was reported.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allowed account creation without email verification, potentially enabling spam or fake accounts and resource exhaustion. However, there was no reported data exposure or unauthorized access to existing accounts. Therefore, while it bypassed intended verification controls, it did not directly compromise personal data or sensitive information. As such, the impact on compliance with standards like GDPR or HIPAA is limited, since no data breach or unauthorized data access occurred. Nonetheless, the presence of fake accounts could indirectly affect compliance by complicating user management and monitoring processes. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for account creation requests to the legacy user creation API endpoint that do not require or include email verification tokens. Network traffic analysis tools can be used to inspect HTTPS requests to the affected API paths for signs of account creation without verification. Specific commands depend on your environment, but for example, using curl to test the legacy API endpoint for account creation without a verification token can help detect the issue. Additionally, reviewing server logs for account creation events lacking verification steps can assist in detection. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include ensuring that your Zeroheight SaaS instance is updated to the fixed version deployed on or after June 13, 2025, which enforces the requirement of a valid email verification token for all account creation flows. If updating immediately is not possible, restrict or disable access to the legacy user creation API pathway to prevent unverified account creation. Monitor for unusual account creation activity that may indicate exploitation attempts. No further user action is required once the fix is applied. [1]