Improper Authentication Vulnerability in SimStudioAI Software
CVE-2025-15099

6.9MEDIUM

Key Information:

Vendor

Simstudioai

Status
Sim
Vendor
CVE Published:
26 December 2025

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2025-15099?

A vulnerability was discovered in SimStudioAI software that affects the CRON Secret Handler component, specifically within the file apps/sim/lib/auth/internal.ts. This vulnerability arises from improper handling of the argument INTERNAL_API_SECRET, allowing for potential authentication bypass. Threat actors can exploit this flaw to initiate attacks remotely, leading to unauthorized access. The exploit has been made publicly available, indicating an urgent need for users to apply the patch identified by the commit e359dc2946b12ed5e45a0ec9c95ecf91bd18502a to secure their systems.

Affected Version(s)

sim 0.5.0

sim 0.5.1

sim 0.5.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-15099 - Proof of Concept

References

https://vuldb.com/?id.338430
vdb-entrytechnical-description
https://vuldb.com/?ctiid.338430
signaturepermissions-required
https://vuldb.com/?submit.710255
third-party-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

28Hus (VulDB User)
JSON
.
CVE-2025-15099 : Improper Authentication Vulnerability in SimStudioAI Software