CVE-2025-70973
Session Fixation in ScadaBR 1.12.4 Enables Session Hijacking
Publication date: 2026-03-09
Last updated on: 2026-04-07
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| scadabr | scadabr | 1.12.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-384 | Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-70973 is a session fixation vulnerability in ScadaBR, a SCADA monitoring system. The application assigns a JSESSIONID session cookie to users before they authenticate and does not change this session ID after the user logs in.'}, {'type': 'paragraph', 'content': "Because the session ID remains the same before and after login, an attacker who knows the victim's pre-login session ID can hijack the authenticated session by using that same session ID from another browser or client."}, {'type': 'paragraph', 'content': "This means the attacker can access authenticated resources without needing the victim's credentials."}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability allows an attacker to hijack an authenticated session by reusing a victim's session ID obtained before login."}, {'type': 'list_item', 'content': 'Unauthorized access to SCADA monitoring pages and authenticated functionality.'}, {'type': 'list_item', 'content': 'Potential compromise of sensitive operational data and control over SCADA systems.'}, {'type': 'list_item', 'content': 'Access remains until the victim logs out or the session expires.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by observing if the JSESSIONID session cookie is assigned before authentication and remains the same after login, indicating that the session ID is not regenerated upon successful authentication.
A practical way to detect this is to use two browsers or HTTP clients to capture the JSESSIONID cookie before login in one client, then set the same JSESSIONID cookie in the other client and check if the second client can access authenticated pages without logging in.
Commands or tools that can help include:
- Using curl or HTTP client tools to capture and set cookies manually.
- Browser developer tools (Network tab) to inspect cookies and session behavior.
- Proxy tools like Burp Suite or OWASP ZAP to intercept and modify session cookies.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include regenerating the session ID upon successful authentication to prevent session fixation.
- Implement session ID regeneration using methods such as request.changeSessionId() or by invalidating and recreating the session after login.
- Set session cookies with security flags: HttpOnly, Secure (when using HTTPS), and SameSite to reduce the risk of session theft.
- Enforce HTTPS to protect session cookies from being intercepted over the network.