High severity7.5NVD Advisory· Published Apr 24, 2025· Updated Apr 15, 2026

CVE-2025-27580

Description

NIH BRICS (aka Biomedical Research Informatics Computing System) through 14.0.0-67 generates predictable tokens (that depend on username, time, and the fixed 7Dl9#dj- string) and thus allows unauthenticated users with a Common Access Card (CAC) to escalate privileges and compromise any account, including administrators.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

brics.cit.nih.govnvd
bugculture.io/CVE-2025-27580/nvd
github.com/RoseHacks/Vulnerability.Research/blob/main/CVE-2025-27580/README.mdnvd
github.com/brics-dev/brics/blob/26bc6bb627a9a60e6c6a8a8c29735ae98c2e2679/core/src/main/java/gov/nih/tbi/CoreConstants.javanvd
github.com/brics-dev/brics/blob/26bc6bb627a9a60e6c6a8a8c29735ae98c2e2679/service/src/main/java/gov/nih/tbi/account/service/complex/AccountManagerImpl.javanvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000