CVE-2025-70973
Received Received - Intake
Session Fixation in ScadaBR 1.12.4 Enables Session Hijacking

Publication date: 2026-03-09

Last updated on: 2026-04-07

Assigner: MITRE

Description
ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSESSIONID session cookie to unauthenticated users and does not regenerate the session identifier after successful authentication. As a result, a session created prior to login becomes authenticated once the victim logs in, allowing an attacker who knows the session ID to hijack an authenticated session.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-09
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-03-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-70973
EUVD
EUVD-2025-208456
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
scadabr scadabr 1.12.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-384 Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-70973 is a session fixation vulnerability in ScadaBR, a SCADA monitoring system. The application assigns a JSESSIONID session cookie to users before they authenticate and does not change this session ID after the user logs in.'}, {'type': 'paragraph', 'content': "Because the session ID remains the same before and after login, an attacker who knows the victim's pre-login session ID can hijack the authenticated session by using that same session ID from another browser or client."}, {'type': 'paragraph', 'content': "This means the attacker can access authenticated resources without needing the victim's credentials."}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows an attacker to hijack an authenticated session by reusing a victim's session ID obtained before login."}, {'type': 'list_item', 'content': 'Unauthorized access to SCADA monitoring pages and authenticated functionality.'}, {'type': 'list_item', 'content': 'Potential compromise of sensitive operational data and control over SCADA systems.'}, {'type': 'list_item', 'content': 'Access remains until the victim logs out or the session expires.'}] [1]

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by observing if the JSESSIONID session cookie is assigned before authentication and remains the same after login, indicating that the session ID is not regenerated upon successful authentication.

A practical way to detect this is to use two browsers or HTTP clients to capture the JSESSIONID cookie before login in one client, then set the same JSESSIONID cookie in the other client and check if the second client can access authenticated pages without logging in.

Commands or tools that can help include:

  • Using curl or HTTP client tools to capture and set cookies manually.
  • Browser developer tools (Network tab) to inspect cookies and session behavior.
  • Proxy tools like Burp Suite or OWASP ZAP to intercept and modify session cookies.
Mitigation Strategies

Immediate mitigation steps include regenerating the session ID upon successful authentication to prevent session fixation.

  • Implement session ID regeneration using methods such as request.changeSessionId() or by invalidating and recreating the session after login.
  • Set session cookies with security flags: HttpOnly, Secure (when using HTTPS), and SameSite to reduce the risk of session theft.
  • Enforce HTTPS to protect session cookies from being intercepted over the network.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-70973. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart