CVE-2025-8861 describes a critical Missing Authentication vulnerability discovered in TSA, a system developed by Changing. This flaw allows unauthenticated remote attackers to gain unauthorized access and manipulate sensitive database information. The vulnerability affects versions prior to 2025/2/6, and a patch was released on 2025/2/6.
The Missing Authentication vulnerability in TSA poses a significant risk to data integrity and confidentiality. An attacker exploiting this flaw can bypass authentication mechanisms and directly interact with the underlying database. This allows them to read sensitive data, including potentially personally identifiable information (PII), financial records, or proprietary business data. Furthermore, the attacker can modify or delete data, leading to data corruption, service disruption, and potential legal or regulatory consequences. The lack of authentication means any remote user can potentially access and compromise the system, resulting in a high blast radius.
CVE-2025-8861 was published on 2025-08-29. The vulnerability's severity is considered critical due to the ease of exploitation and potential impact. No public proof-of-concept (POC) code has been publicly released as of this writing. The EPSS score is pending evaluation, but the vulnerability's nature suggests a potentially high probability of exploitation if left unpatched.
Organizations utilizing TSA in environments with direct external access or lacking robust network segmentation are at heightened risk. Systems with legacy configurations or those relying on default credentials are particularly vulnerable. Any deployment where database access is not properly secured is potentially exposed.
disclosure
漏洞利用状态
EPSS
0.24% (47% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-8861 is to immediately upgrade TSA to version 2025/2/6 or later, which includes the authentication fix. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting network access to the TSA system, implementing strict firewall rules to limit inbound connections, and closely monitoring database activity for suspicious patterns. While not a complete solution, these measures can reduce the attack surface and provide an early warning of potential exploitation. After upgrading, confirm the fix by attempting to access the TSA system without authentication and verifying that access is denied.
Actualice TSA a la versión 2025/2/6 o posterior. Esto corregirá la vulnerabilidad de autenticación faltante y evitará que atacantes remotos no autenticados lean, modifiquen o eliminen el contenido de la base de datos.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-8861 is a critical vulnerability in TSA by Changing that allows unauthenticated attackers to read, modify, and delete database contents.
If you are using TSA versions 0–2025/2/6, you are affected by this vulnerability. Upgrade immediately.
Upgrade TSA to version 2025/2/6 or later to resolve the Missing Authentication vulnerability.
There are currently no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate attention.
Please refer to the Changing website or security channels for the official advisory regarding CVE-2025-8861.