CVE-2025-13221 identifies a vulnerability in Intelbras UnniTI version 24.07.11 where credentials are stored unprotected in the XML file located at /xml/sistema/usuarios.xml. The vulnerability arises from improper handling of the Usuario/Senha argument, which can be manipulated remotely without authentication or user interaction. This manipulation leads to exposure of stored credentials in cleartext or weakly protected form, enabling attackers to retrieve sensitive login information. The vulnerability is remotely exploitable over the network, with low attack complexity and no privileges required, as indicated by the CVSS vector AV:N/AC:L/PR:N/UI:N. The impact is primarily on confidentiality (VC:L), with no direct integrity or availability effects. Although no active exploitation has been reported, a public exploit is available, increasing the risk of compromise. The affected product, Intelbras UnniTI, is used in various environments for system management, and the exposure of credentials can facilitate unauthorized access, privilege escalation, and further compromise within affected networks. The lack of vendor patches at the time of publication necessitates immediate mitigation through access controls and monitoring. The vulnerability’s medium severity reflects the balance between ease of exploitation and limited scope of impact, but it remains a significant risk due to credential exposure and potential downstream effects.

For European organizations, the unprotected storage of credentials in Intelbras UnniTI can lead to unauthorized access to critical systems if attackers retrieve and reuse these credentials. This can compromise confidentiality and potentially enable lateral movement within networks, increasing the risk of data breaches and operational disruption. Sectors such as telecommunications, manufacturing, and critical infrastructure that rely on Intelbras products may face heightened risks. Credential exposure can also facilitate supply chain attacks or insider threats if attackers gain persistent access. The remote exploitability without authentication broadens the attack surface, making organizations with externally accessible UnniTI instances particularly vulnerable. Additionally, the availability of a public exploit increases the likelihood of opportunistic attacks. European data protection regulations, including GDPR, impose strict requirements on protecting personal and sensitive data, and exploitation of this vulnerability could lead to regulatory penalties and reputational damage. Organizations may also face increased costs related to incident response, forensic investigations, and remediation.

1. Immediately restrict network access to the /xml/sistema/usuarios.xml file and related UnniTI management interfaces using firewall rules, VPNs, or network segmentation to limit exposure to trusted internal networks only. 2. Monitor network traffic and logs for unusual access patterns or attempts to manipulate the Usuario/Senha argument, employing intrusion detection/prevention systems tuned for this vulnerability. 3. Rotate all credentials stored or managed by UnniTI regularly, especially if exposure is suspected or confirmed, to limit the window of compromise. 4. Implement multi-factor authentication (MFA) on systems that integrate with or rely on UnniTI to reduce the impact of credential theft. 5. Engage with Intelbras for timely patch releases and apply security updates as soon as they become available. 6. Conduct a thorough audit of all systems using UnniTI to identify and isolate vulnerable instances. 7. Educate IT and security teams about this vulnerability and the importance of safeguarding credential storage and access controls. 8. Consider deploying endpoint detection and response (EDR) solutions to detect lateral movement attempts post-exploitation.