CVE-2025-11322 identifies a vulnerability in Mangati NovoSGA, a software product used for service management, affecting all versions up to 2.2.12. The flaw resides in the User Creation Page component, specifically in the handling of the password (Senha) and password confirmation fields. Due to improper validation or enforcement of password complexity requirements, an attacker can remotely manipulate these fields to create user accounts with weak passwords. This undermines the intended security controls designed to enforce strong credential policies. The vulnerability can be exploited remotely without authentication or user interaction, but the attack complexity is high, indicating that a skilled attacker is required. Although the exploit has been published, no known exploits are currently observed in the wild. The vendor was notified but has not issued a patch or response, leaving affected systems exposed. The CVSS 4.0 base score is 6.3 (medium severity), reflecting the network attack vector, high attack complexity, no privileges or user interaction needed, and limited impact on confidentiality. The vulnerability primarily threatens confidentiality by enabling weak credentials that could be leveraged for unauthorized access or lateral movement within affected environments.

For European organizations using Mangati NovoSGA, this vulnerability poses a risk of unauthorized account creation with weak passwords, potentially leading to credential compromise and unauthorized access to sensitive service management data. This can result in data breaches, disruption of service management workflows, and potential escalation of privileges if attackers leverage weak credentials to move laterally. The medium severity indicates a moderate risk, but the lack of vendor response and patches increases exposure duration. Organizations in sectors relying heavily on service management platforms, such as public administration, utilities, and large enterprises, may face operational and reputational impacts. Confidentiality is the primary concern, but integrity and availability could be indirectly affected if attackers manipulate service management processes. The remote exploitability without authentication increases the threat surface, especially if the User Creation Page is exposed to untrusted networks or the internet.

Since no official patch is available, European organizations should implement compensating controls immediately. These include: 1) Restrict network access to the User Creation Page, limiting it to trusted internal networks or VPNs. 2) Implement external strong password policies and validation mechanisms at the network or application gateway level to enforce complexity on account creation requests. 3) Monitor logs for unusual account creation activity or weak password usage. 4) Conduct regular audits of user accounts to identify and remediate weak passwords. 5) Employ multi-factor authentication (MFA) for all accounts created through NovoSGA to mitigate risks from weak passwords. 6) Engage with Mangati for updates and consider alternative solutions if remediation is delayed. 7) Educate administrators on the risks and ensure strict operational procedures around user management. These targeted actions go beyond generic advice by focusing on access controls, monitoring, and compensating authentication mechanisms.