CVE-2025-65925 – A legacy API in Zeroheight SaaS allowed account... (How to Fix)

Q: What is the severity of CVE-2025-65925?

CVE-2025-65925 has a CVSS score of 6.5 (MEDIUM). A legacy API in Zeroheight SaaS allowed account creation without email verification. While unverified accounts couldn't access product features, this bypassed security controls and enabled spam/fake account creation. Only Zeroheight SaaS users before June 13, 2025 are affected.

📋 TL;DR

A legacy API in Zeroheight SaaS allowed account creation without email verification. While unverified accounts couldn't access product features, this bypassed security controls and enabled spam/fake account creation. Only Zeroheight SaaS users before June 13, 2025 are affected.

💻 Affected Systems

Products:

Zeroheight SaaS

Versions: All versions prior to 2025-06-13

Operating Systems: Not applicable (SaaS)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the SaaS version, not self-hosted deployments. The vulnerable API pathway was legacy functionality.

📦 What is this software?

Zeroheight by Zeroheight

View all CVEs affecting Zeroheight →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Massive spam/fake account creation consuming system resources, potentially leading to service degradation or denial-of-service for legitimate users.

🟠

Likely Case

Spam account creation for malicious activities like phishing campaigns or resource waste, but no data access or account compromise.

🟢

If Mitigated

Minimal impact since unverified accounts cannot access product functionality, but still represents a security control bypass.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public GitHub repository demonstrates the bypass. Exploitation requires no authentication and minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025-06-13 deployment

Vendor Advisory: Not provided in CVE details

Restart Required: No

Instructions:

1. Ensure your Zeroheight SaaS instance was updated on or after June 13, 2025. 2. Contact Zeroheight support to confirm the fix is applied. 3. No customer-side patching required for SaaS users.

🔧 Temporary Workarounds

Disable legacy API endpoints

all

If self-managing Zeroheight, disable the legacy user creation API pathway.

Specific commands depend on deployment configuration

🧯 If You Can't Patch

Monitor account creation logs for unusual patterns or bulk registrations.
Implement rate limiting on account creation endpoints if possible.

🔍 How to Verify

Check if Vulnerable:

Attempt to create an account via the legacy API without email verification. If successful, the system is vulnerable.

Check Version:

Contact Zeroheight support for current deployment version as this is a SaaS service.

Verify Fix Applied:

Verify with Zeroheight support that the June 13, 2025 update was applied. Test account creation to ensure email verification is enforced.

📡 Detection & Monitoring

Log Indicators:

Unusual volume of account creation requests
Account creation requests bypassing email verification steps
Accounts created with incomplete verification status

Network Indicators:

HTTP requests to legacy user creation API endpoints
POST requests to /api/legacy/user/create or similar paths

SIEM Query:

source="zeroheight" AND (event_type="account_creation" AND verification_status="pending" AND count() > threshold)

📊 Metadata

CVE ID: CVE-2025-65925

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE: CWE-287

EPSS Score: 0.06% exploit probability (20th percentile)

Published: December 30, 2025

Last Updated: January 13, 2026

🔗 References

https://github.com/Sneden/zeroheight-account-verification-bypass-CVE-2025-65925 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65925, you might also want to check these: