CVE-2025-0744 – An authenticated attacker can change their subs... (How to Fix)

Q: What is the severity of CVE-2025-0744?

CVE-2025-0744 has a CVSS score of 7.5 (HIGH). An authenticated attacker can change their subscription plan without payment by manipulating POST requests to the payment endpoint. This affects all EmbedAI installations version 2.1 and below where users have authenticated access to the system.

📋 TL;DR

An authenticated attacker can change their subscription plan without payment by manipulating POST requests to the payment endpoint. This affects all EmbedAI installations version 2.1 and below where users have authenticated access to the system.

💻 Affected Systems

Products:

EmbedAI

Versions: 2.1 and below

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. Requires authenticated user access.

📦 What is this software?

Embedai by Thesamur

View all CVEs affecting Embedai →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Massive revenue loss from widespread subscription fraud, potential service degradation from unauthorized premium feature usage, and reputational damage to the organization.

🟠

Likely Case

Individual users upgrading their plans without payment, resulting in direct revenue loss and unauthorized access to premium features.

🟢

If Mitigated

Minimal impact with proper access controls and payment validation in place, limiting exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access and understanding of the API endpoint structure. No public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: EmbedAI version 2.2 or later

Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-embedai

Restart Required: No

Instructions:

1. Upgrade EmbedAI to version 2.2 or later. 2. Verify the patch is applied by checking the version. 3. Test payment functionality to ensure proper access controls are in place.

🔧 Temporary Workarounds

Temporary endpoint restriction

all

Temporarily block or restrict access to the vulnerable endpoint while awaiting patch

Enhanced monitoring

all

Implement additional logging and alerting for suspicious payment endpoint activity

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block suspicious POST requests to the payment endpoint
Add server-side validation to verify payment completion before allowing subscription changes

🔍 How to Verify

Check if Vulnerable:

Check if EmbedAI version is 2.1 or below. Test if authenticated users can modify subscription plans without completing payment.

Check Version:

Check EmbedAI admin panel or configuration files for version information

Verify Fix Applied:

Verify installation is version 2.2 or later. Test that subscription changes require successful payment validation.

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /demos/embedai/pmt_cash_on_delivery/pay from same user without corresponding payment success logs
Subscription plan changes without payment completion events

Network Indicators:

Unusual patterns of POST requests to payment endpoint
Subscription API calls without preceding payment API calls

SIEM Query:

source="embedai" AND (url_path="/demos/embedai/pmt_cash_on_delivery/pay" AND NOT payment_status="success")

📊 Metadata

CVE ID: CVE-2025-0744

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-284

EPSS Score: 0.09% exploit probability (26.5th percentile)

Published: January 30, 2025

Last Updated: October 8, 2025

🔗 References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-embedai Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0744, you might also want to check these: