CVE-2025-41077
Unknown Unknown - Not Provided
IDOR in Viafirma Inbox 4.5.13 Enables Admin Account Takeover

Publication date: 2026-01-12

Last updated on: 2026-01-12

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
IDOR vulnerability has been found in Viafirma Inbox v4.5.13 that allows any authenticated user without privileges in the application to list all users, access and modify their data. This allows the user's email addresses to be modified and, subsequently, using the password recovery functionality to access the application by impersonating any user, including those with administrative permissions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-12
Last Modified
2026-01-12
Generated
2026-06-16
AI Q&A
2026-01-13
EPSS Evaluated
2026-06-14
NVD
CVE-2025-41077
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
viafirma inbox to 4.5.27 (exc)
viafirma inbox 4.5.27
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2025-41077 is an Insecure Direct Object Reference (IDOR) vulnerability in Viafirma Inbox version 4.5.13 and earlier. It allows any authenticated user, even without special privileges, to list all users and access or modify their data, including email addresses. By changing email addresses, an attacker can exploit the password recovery feature to impersonate any user, including administrators, gaining unauthorized access. [1]

Impact Analysis

This vulnerability can lead to unauthorized access to the application by allowing attackers to impersonate any user, including those with administrative privileges. This can result in data breaches, unauthorized data modification, and potential full control over the affected system. [1]

Detection Guidance

Detection involves verifying if the Viafirma Inbox version is 4.5.13 or prior, as these versions are vulnerable. Since the vulnerability allows any authenticated user to list all users and modify their data, testing can be done by attempting to enumerate users and modify email addresses via the application interface or API with an authenticated user account. Specific commands are not provided in the resources. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade Viafirma Inbox to version 4.5.27 or later, where this vulnerability has been fixed. Additionally, restrict access to authenticated users and monitor for suspicious activity involving user enumeration or email modification. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-41077. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart