CVE-2025-1214

Published: Feb 12, 2025Modified: Oct 17, 2025

5.3

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Show more

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: CNA (Secondary)

Description

A vulnerability classified as critical has been found in pihome-shc PiHome 2.0. This affects an unknown part of the file /user_accounts.php?uid of the component Role-Based Access Control. The manipulation leads to missing authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Affected (1)

Products: Pihome: Maxair

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Pihome Maxair	Version 2.0

Related CWEs

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (5)

https://github.com/janssensjelle/published-pocs/blob/main/pihomehvac-improper-access-control.md

Source: cna@vuldb.com

ExploitMitigationThird Party Advisory

https://vuldb.com/?ctiid.295173

Source: cna@vuldb.com

Permissions RequiredVDB Entry

https://vuldb.com/?id.295173

Source: cna@vuldb.com

Third Party AdvisoryVDB Entry

https://vuldb.com/?submit.497533

Source: cna@vuldb.com

Third Party AdvisoryVDB Entry

https://github.com/janssensjelle/published-pocs/blob/main/pihomehvac-improper-access-control.md

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitMitigationThird Party Advisory

Timeline

No history available yet.