CVE-2025-11322 in NovoSGA
Summary
by MITRE • 10/06/2025
A flaw has been found in Mangati NovoSGA up to 2.2.12. The impacted element is an unknown function of the file /novosga.users/new of the component User Creation Page. Executing manipulation of the argument Senha/Confirmação da senha can lead to weak password requirements. The attack can be launched remotely. Attacks of this nature are highly complex. The exploitability is regarded as difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/06/2025
The vulnerability identified as CVE-2025-11322 represents a critical weakness in the Mangati NovoSGA software version 2.2.12 and earlier, specifically within the user creation functionality. This flaw exists in the /novosga.users/new file component where the password validation mechanism fails to enforce strong password policies. The vulnerability manifests through manipulation of the Senha/Confirmação da senha parameters during user account creation, allowing attackers to bypass the intended security controls that should enforce robust password requirements.
This weakness falls under the CWE-521 weakness category, which specifically addresses weak password requirements and insufficient password quality checks. The vulnerability's remote exploitability means that attackers can potentially target this issue from external networks without requiring physical access to the system. The attack complexity is rated as high due to the sophisticated nature of the exploitation process, which requires understanding of the application's internal structure and precise manipulation of the password validation parameters. The fact that a working exploit has been published indicates that this vulnerability is not merely theoretical but represents an active threat that malicious actors can leverage.
The operational impact of this vulnerability extends beyond simple credential theft, as weak password requirements create a significant attack surface for various malicious activities including account takeover, privilege escalation, and potential lateral movement within the system. The lack of vendor response to early disclosure attempts creates additional risk for affected organizations, as they may not receive timely patches or mitigation guidance. This vulnerability directly relates to the ATT&CK technique T1110.003 which covers credential stuffing and T1078.004 which addresses valid accounts, as weak passwords make it easier for attackers to compromise legitimate user accounts.
Organizations utilizing Mangati NovoSGA versions up to 2.2.12 should immediately implement compensating controls such as enforcing strong password policies at the network level, implementing account lockout mechanisms, and monitoring for unusual authentication patterns. The recommended mitigation strategy includes upgrading to the latest version of NovoSGA where this vulnerability has been addressed, while also implementing additional layers of authentication such as multi-factor authentication to reduce the risk of successful exploitation. Security teams should also conduct thorough vulnerability assessments to identify any other potential weak points in their authentication infrastructure that could be exploited in conjunction with this vulnerability.