CVE-2025-22390 – This vulnerability allows attackers to compromi... (How to Fix)

Q: What is the severity of CVE-2025-22390?

CVE-2025-22390 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to compromise user accounts through password attacks due to weak password requirements in Optimizely EPiServer CMS. Organizations using affected versions are at risk of unauthorized access to their content management systems. The vulnerability affects all users who can set passwords through the CMS interface.

📋 TL;DR

This vulnerability allows attackers to compromise user accounts through password attacks due to weak password requirements in Optimizely EPiServer CMS. Organizations using affected versions are at risk of unauthorized access to their content management systems. The vulnerability affects all users who can set passwords through the CMS interface.

💻 Affected Systems

Products:

Optimizely EPiServer CMS Core

Versions: All versions before 12.32.0

Operating Systems: All supported Windows Server versions

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations using the default password policy. Custom password policies may mitigate but should still be patched.

📦 What is this software?

Optimizely Cms by Optimizely

View all CVEs affecting Optimizely Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of CMS administrator accounts leading to data theft, content manipulation, or lateral movement to other systems.

🟠

Likely Case

Successful password spraying attacks against user accounts resulting in unauthorized access to CMS functionality.

🟢

If Mitigated

Limited impact with strong additional authentication controls like MFA and account lockout policies in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires valid user accounts to target and knowledge of password spraying techniques. No authentication bypass is involved.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.32.0 or later

Vendor Advisory: https://support.optimizely.com/hc/en-us/articles/33182255281293-Content-Management-System-CMS-Security-Advisory-CMS-2025-02

Restart Required: No

Instructions:

1. Backup CMS database and files. 2. Upgrade to EPiServer.CMS.Core version 12.32.0 or later. 3. Test functionality after upgrade. 4. Consider forcing password resets for all users.

🔧 Temporary Workarounds

Implement Strong Password Policy

all

Configure custom password policy requiring minimum 12 characters with complexity requirements

Enable Multi-Factor Authentication

all

Require MFA for all CMS user accounts to add additional authentication layer

🧯 If You Can't Patch

Implement account lockout policies after failed login attempts
Monitor for password spraying attempts and enforce regular password changes

🔍 How to Verify

Check if Vulnerable:

Check EPiServer.CMS.Core assembly version in bin folder or via CMS admin interface

Check Version:

Get-ChildItem "C:\inetpub\wwwroot\bin\EPiServer.CMS.Core.dll" | Select-Object VersionInfo

Verify Fix Applied:

Verify version is 12.32.0 or later and test password complexity enforcement

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts from single IP
Successful logins after many failures
Password change events

Network Indicators:

HTTP POST requests to login endpoints with varying credentials
Unusual authentication traffic patterns

SIEM Query:

source="CMS_Logs" (event_type="login_failure" AND count > 10) BY src_ip WITHIN 5m

📊 Metadata

CVE ID: CVE-2025-22390

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-521

EPSS Score: 0.24% exploit probability (47th percentile)

Published: January 4, 2025

Last Updated: May 20, 2025

🔗 References

https://support.optimizely.com/hc/en-us/articles/33182255281293-Content-Management-System-CMS-Security-Advisory-CMS-2025-02 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-22390, you might also want to check these: