CVE-2025-0352 Overview
CVE-2025-0352 affects the Rapid Response Monitoring My Security Account App. The application exposes an API that fails to properly validate user authorization on requests. An attacker can modify request parameters to retrieve information belonging to other users. The flaw is classified as an Authorization Bypass Through User-Controlled Key [CWE-639], commonly referred to as Insecure Direct Object Reference (IDOR). CISA published the issue under ICS Advisory ICSA-25-051-05 due to its impact on physical security monitoring services.
Critical Impact
An unauthenticated remote attacker can manipulate API request data to access other users' security account information, exposing confidential customer details tied to physical security monitoring.
Affected Products
- Rapid Response Monitoring My Security Account App
- Vendor-hosted API endpoints serving the My Security Account application
- Customer accounts associated with the affected monitoring service
Discovery Timeline
- 2025-02-20 - CVE-2025-0352 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-0352
Vulnerability Analysis
The Rapid Response Monitoring My Security Account App relies on a backend API that accepts client-supplied identifiers to fetch account information. The API trusts these identifiers without verifying that the authenticated session owns the referenced resource. An attacker who modifies the identifier in a request receives data belonging to other users of the platform. Because the service handles physical security monitoring data, exposed records may include account holder details and security configuration metadata.
Root Cause
The root cause is missing object-level authorization on the API. The application performs authentication but does not enforce that the requesting user is authorized for the specific record referenced by the request. This pattern matches [CWE-639], where access control decisions depend on a user-controlled key without server-side validation. See the CISA ICS Advisory ICSA-25-051-05 for additional vendor context.
Attack Vector
The attack is conducted over the network with low complexity and requires no privileges or user interaction. An attacker intercepts a legitimate API call, substitutes the user identifier or account reference parameter with a value belonging to another customer, and replays the request. The API returns data scoped to the substituted identifier. No exploit code or proof-of-concept is publicly available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2025-0352
Indicators of Compromise
- API access logs showing a single session iterating through sequential or non-owned account identifiers.
- Spikes in API responses returning account data to clients that did not previously query those accounts.
- Authentication tokens issued to one user generating requests referencing identifiers outside their normal scope.
Detection Strategies
- Implement server-side checks that compare the session principal against the resource owner on every API response, and alert when mismatches occur.
- Deploy API gateway anomaly detection focused on horizontal access patterns, such as one user retrieving many distinct account IDs in a short window.
- Correlate web application firewall logs with backend authorization decisions to identify parameter tampering attempts.
Monitoring Recommendations
- Monitor API endpoints belonging to the My Security Account App for elevated request volumes from single sessions.
- Forward application and gateway logs to a centralized analytics platform for behavioral baselining of per-user access patterns.
- Track outbound responses for unusual data volumes returned to authenticated mobile clients.
How to Mitigate CVE-2025-0352
Immediate Actions Required
- Contact Rapid Response Monitoring through the RRMS Contact Information Page to confirm remediation status for the My Security Account App API.
- Rotate credentials and session tokens for affected accounts if unauthorized access is suspected.
- Review API logs for the period preceding the advisory date to identify potential prior exploitation.
Patch Information
Rapid Response Monitoring addresses the vulnerability on the server-side API. Because the issue resides in the vendor-operated backend, customers do not need to deploy a client-side patch. Refer to CISA ICS Advisory ICSA-25-051-05 for the latest remediation guidance and vendor coordination details.
Workarounds
- Limit use of the My Security Account App until the vendor confirms the API authorization fix has been deployed.
- Restrict app access to trusted networks where feasible and enforce multi-factor authentication on customer accounts.
- Audit account contact information and security configuration after remediation to verify integrity.
# Example: server-side authorization check pattern to enforce object ownership
# (illustrative pseudocode for reference, not vendor code)
if request.session.user_id != record.owner_id:
return HTTP_403_FORBIDDEN
return record
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
