Skip to main content

CVE-2025-48138: CWE-862 Missing Authorization in berthaai BERTHA AI

Medium
VulnerabilityCVE-2025-48138cvecve-2025-48138cwe-862
Published: Fri May 16 2025 (05/16/2025, 15:45:15 UTC)
Source: CVE
Vendor/Project: berthaai
Product: BERTHA AI

Description

Missing Authorization vulnerability in berthaai BERTHA AI allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BERTHA AI: from n/a through 1.12.11.

AI-Powered Analysis

AILast updated: 07/11/2025, 23:04:05 UTC

Technical Analysis

CVE-2025-48138 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the BERTHA AI product developed by berthaai, up to version 1.12.11. This vulnerability arises due to incorrectly configured access control security levels, which results in missing authorization checks. Specifically, the flaw allows an attacker with some level of privileges (PR:L - Privileges Required: Low) to exploit the system remotely (AV:N - Attack Vector: Network) without requiring user interaction (UI:N). The vulnerability does not impact confidentiality or integrity but affects availability (A:L), meaning an attacker could potentially disrupt service or cause denial of service conditions. The CVSS 3.1 base score is 4.3, indicating a medium severity level. The vulnerability is publicly disclosed as of May 16, 2025, but there are no known exploits in the wild yet, and no patches have been linked or released at this time. The issue is critical from an access control perspective because missing authorization checks can allow unauthorized actions or resource access, potentially leading to service disruption or unauthorized system behavior. Since BERTHA AI is an AI-driven product, the impact could extend to AI service availability or reliability, affecting dependent workflows or applications.

Potential Impact

For European organizations, the impact of this vulnerability could be significant depending on their reliance on BERTHA AI for critical AI services or business processes. The availability impact means that attackers could cause service interruptions, potentially disrupting operations that depend on AI-driven automation, content generation, or decision support. Organizations in sectors such as finance, healthcare, manufacturing, and public services that integrate BERTHA AI into their workflows might experience operational delays or degraded service quality. Additionally, missing authorization could be leveraged as a stepping stone for further attacks if combined with other vulnerabilities or misconfigurations. Although the confidentiality and integrity are not directly affected, the availability impact alone can lead to financial losses, reputational damage, and compliance challenges, especially under strict European data protection and operational resilience regulations. The lack of patches currently increases the risk window, and organizations must be vigilant in monitoring and mitigating potential exploitation attempts.

Mitigation Recommendations

Given the absence of an official patch, European organizations should implement compensating controls immediately. These include: 1) Restricting network access to BERTHA AI management interfaces and APIs using firewalls or network segmentation to limit exposure to trusted internal users only; 2) Enforcing strict role-based access control (RBAC) and reviewing user privileges to ensure minimal necessary access, reducing the risk from low-privilege accounts; 3) Monitoring and logging all access attempts and unusual activities related to BERTHA AI to detect potential exploitation attempts early; 4) Applying Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) with custom rules to detect and block suspicious access patterns targeting authorization flaws; 5) Engaging with the vendor for timely updates and patches, and preparing for rapid deployment once available; 6) Conducting internal security assessments and penetration tests focusing on access control mechanisms of BERTHA AI deployments; 7) Educating administrators and users about the risks of missing authorization vulnerabilities and enforcing strict operational security policies.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Patchstack
Date Reserved
2025-05-15T18:01:40.432Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682cd0f91484d88663aebd7f

Added to database: 5/20/2025, 6:59:05 PM

Last enriched: 7/11/2025, 11:04:05 PM

Last updated: 7/25/2025, 11:49:14 PM

Views: 11

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats