CVE-2025-52669 – This vulnerability allows non-admin users in Re... (How to Fix)

Q: What is the severity of CVE-2025-52669?

CVE-2025-52669 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows non-admin users in Revive Adserver to view contact names and email addresses of other users due to insecure design policies. It affects all users of Revive Adserver versions 5.5.2, 6.0.1, and earlier. The issue stems from improper access controls in the user management system.

📋 TL;DR

This vulnerability allows non-admin users in Revive Adserver to view contact names and email addresses of other users due to insecure design policies. It affects all users of Revive Adserver versions 5.5.2, 6.0.1, and earlier. The issue stems from improper access controls in the user management system.

💻 Affected Systems

Products:

Revive Adserver

Versions: 5.5.2, 6.0.1, and all earlier versions

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with default configurations are vulnerable. The vulnerability exists in the core user management functionality.

📦 What is this software?

Revive Adserver by Revive Adserver

View all CVEs affecting Revive Adserver →

Revive Adserver by Revive Adserver

View all CVEs affecting Revive Adserver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could harvest user contact information for phishing campaigns, social engineering attacks, or identity theft, potentially leading to account compromise or data breaches.

🟠

Likely Case

Non-admin users can access sensitive personal information of other users, violating privacy expectations and potentially enabling targeted phishing attempts.

🟢

If Mitigated

With proper access controls, only authorized administrators can view user contact information, limiting exposure to sensitive data.

🌐 Internet-Facing: MEDIUM - While the vulnerability requires authenticated access, internet-facing instances could allow attackers who obtain user credentials to exploit this.

🏢 Internal Only: MEDIUM - Internal users with non-admin accounts could access sensitive contact information of colleagues, creating privacy and security concerns.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access as a non-admin user. The vulnerability is straightforward to exploit once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 5.5.2 and 6.0.1

Vendor Advisory: https://www.revive-adserver.com/security/

Restart Required: No

Instructions:

1. Backup your current installation. 2. Download the latest version from the official Revive Adserver website. 3. Follow the upgrade instructions for your specific version. 4. Verify that user access controls are properly enforced.

🔧 Temporary Workarounds

Restrict User Access

all

Temporarily limit non-admin user access to user management interfaces

Monitor User Activity

all

Implement enhanced logging and monitoring of user management system access

🧯 If You Can't Patch

Implement network segmentation to isolate the Revive Adserver instance
Enforce strict access controls and monitor for unusual user management system access patterns

🔍 How to Verify

Check if Vulnerable:

Log in as a non-admin user and attempt to access user contact information through the user management interface. If you can view other users' contact details, the system is vulnerable.

Check Version:

Check the version in the Revive Adserver admin interface or look for version information in the installation files.

Verify Fix Applied:

After patching, log in as a non-admin user and verify that user contact information is no longer accessible. Only admin users should be able to view this information.

📡 Detection & Monitoring

Log Indicators:

Multiple user profile access attempts by non-admin users
Unusual patterns of user management system access

Network Indicators:

Increased traffic to user management endpoints from non-admin accounts

SIEM Query:

source="revive_adserver" AND (event_type="user_access" OR event_type="profile_view") AND user_role!="admin"

📊 Metadata

CVE ID: CVE-2025-52669

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

EPSS Score: 0.01% exploit probability (1.6th percentile)

Published: November 20, 2025

Last Updated: December 2, 2025

🔗 References

https://hackerone.com/reports/3401464 Exploit,Issue Tracking,Third Party Advisory
https://hackerone.com/reports/3401464 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-52669, you might also want to check these: