CVE-2025-22390 identifies a vulnerability in Optimizely EPiServer.CMS.Core prior to version 12.32.0, where the system enforces insufficient password complexity requirements. Specifically, the CMS permits users to create passwords with a minimum length of six characters without mandating complexity elements such as uppercase letters, digits, or special characters. This weakness aligns with CWE-521, which describes weak password requirements that fail to resist modern attack techniques. The vulnerability is remotely exploitable without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). Attackers can leverage this flaw to perform password spraying attacks or offline password cracking, potentially gaining unauthorized access to user accounts or administrative functions. While no public exploits have been reported, the vulnerability poses a high risk due to the ease of exploitation and the potential impact on confidentiality. The affected product, Optimizely EPiServer.CMS.Core, is widely used in content management deployments, making this a significant concern for organizations relying on this CMS for web content delivery and management. The lack of patch links suggests that remediation may require upgrading to version 12.32.0 or later, where password policies are presumably strengthened.

The primary impact of this vulnerability is unauthorized access due to weak password policies, which can lead to confidentiality breaches. Attackers exploiting this flaw can gain access to user accounts, potentially including administrative accounts, allowing them to view sensitive content or manipulate CMS configurations. Although integrity and availability impacts are not directly indicated, unauthorized access could be leveraged to deface websites, inject malicious content, or disrupt services indirectly. The ease of exploitation without authentication or user interaction increases the risk of widespread attacks, especially via automated password spraying tools. Organizations worldwide using affected versions of Optimizely EPiServer.CMS.Core face increased risk of compromise, data leakage, and reputational damage. The vulnerability also raises compliance concerns for organizations subject to data protection regulations requiring strong authentication controls.

Organizations should immediately assess their use of Optimizely EPiServer.CMS.Core and upgrade to version 12.32.0 or later, where password complexity enforcement is improved. In the absence of an available patch, administrators should implement compensating controls such as enforcing stronger password policies via custom configuration or integration with external authentication providers that mandate complexity and length requirements. Deploying multi-factor authentication (MFA) is critical to reduce the risk of account compromise even if weak passwords are used. Monitoring authentication logs for unusual login attempts, such as repeated failed logins indicative of password spraying, can help detect exploitation attempts early. Additionally, organizations should educate users on creating strong passwords and consider implementing account lockout policies after multiple failed attempts to hinder brute-force attacks. Regular security audits and penetration testing focusing on authentication mechanisms will help identify residual weaknesses.