CVE-2025-42601
CVE-2025-42601 is a high-severity vulnerability with a CVSS 4.0 base score of 8.2. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-602.
Key facts
- Severity: High (CVSS 4.0 base score 8.2)
- EPSS exploit prediction: 0% (26th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-12239
- Weakness: CWE-602
- Published:
- Last modified:
Description
This vulnerability exists in Meon KYC solutions due to insufficient server-side validation of the Captcha in certain API endpoints. A remote attacker could exploit this vulnerability by intercepting the request and removing the Captcha parameter leading to bypassing the Captcha verification mechanism.
Frequently asked questions
- What is CVE-2025-42601?
- This vulnerability exists in Meon KYC solutions due to insufficient server-side validation of the Captcha in certain API endpoints. A remote attacker could exploit this vulnerability by intercepting the request and removing the Captcha parameter leading to bypassing the Captcha verification mechanism.
- How severe is CVE-2025-42601?
- CVE-2025-42601 has a CVSS 4.0 base score of 8.2, rated high severity.
- Is CVE-2025-42601 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (26th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2025-42601?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2025-42601 have an EU (EUVD) identifier?
- Yes. CVE-2025-42601 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-12239.
- When was CVE-2025-42601 published?
- CVE-2025-42601 was published on 2025-04-23 and last updated on 2026-06-17.
References
Other CWE-602 vulnerabilities
- CVE-2026-42160 — Critical (CVSS 10.0): Data Space Portal is an open-source Software as a Service (SaaS) solution designed to streamline Dataspace management.…
- CVE-2025-33025 — Critical (CVSS 9.9): A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5), RUGGEDCOM ROX MX5000RE (All…
- CVE-2025-33024 — Critical (CVSS 9.9): A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5), RUGGEDCOM ROX MX5000RE (All…
- CVE-2025-32469 — Critical (CVSS 9.9): A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5), RUGGEDCOM ROX MX5000RE (All…
- CVE-2026-30783 — Critical (CVSS 9.8): A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient…
- CVE-2026-23478 — Critical (CVSS 9.8): Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth…