Cyber Resilience

CVE-2024-53573

CriticalPublic PoC

Published: 26 February 2025

Published
26 February 2025
Modified
07 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0026 50.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53573 is a critical-severity Improper Access Control (CWE-284) vulnerability in Changeweb Unifiedtransform. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

Unifiedtransform v2.X, an open-source school management system, is affected by CVE-2024-53573, an incorrect access control vulnerability classified under CWE-284. The flaw allows unauthorized users to access and manipulate endpoints intended exclusively for administrative use, with the teacher/edit/{id} endpoint specifically impacted. Assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it represents a critical risk due to its potential for high-impact unauthorized modifications without requiring authentication or user interaction.

Attackers can exploit this vulnerability remotely over the network with no privileges or special conditions needed. Any unauthenticated user, including external adversaries, can directly access the vulnerable endpoint to view, edit, or delete sensitive teacher information, potentially leading to data tampering, unauthorized privilege escalation within the system, or broader compromise of school administrative functions.

Mitigation details are outlined in advisories available at the following references: https://drive.google.com/file/d/14Or6QIpOeLEqdFm1mwxdE_NNCOwMmcFc/view and https://www.getastra.com/blog/vulnerability/improper-access-control-in-school-management-system-unifiedtransform/. Security practitioners should consult these sources for patching instructions, access control hardening recommendations, and any vendor-provided updates to address the exposure in Unifiedtransform v2.X deployments.

EU & UK References

Vulnerability details

Unifiedtransform v2.X is vulnerable to Incorrect Access Control. Unauthorized users can access and manipulate endpoints intended exclusively for administrative use. This issue specifically affects teacher/edit/{id}.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote exploitation of public-facing web app via unauthenticated access control bypass on admin endpoints.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-25616Same product: Changeweb Unifiedtransform
CVE-2025-25614Same product: Changeweb Unifiedtransform
CVE-2026-39339Shared CWE-284
CVE-2026-46839Shared CWE-284
CVE-2025-26010Shared CWE-284
CVE-2026-34291Shared CWE-284
CVE-2023-47539Shared CWE-284
CVE-2026-23899Shared CWE-284
CVE-2025-7016Shared CWE-284
CVE-2026-46822Shared CWE-284

Affected Assets

changeweb
unifiedtransform
2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires enforcement of approved authorizations for logical access, directly preventing unauthorized users from accessing and manipulating administrative endpoints like teacher/edit/{id}.

prevent

AC-6 enforces least privilege, ensuring only authorized administrators can access sensitive teacher edit functions, mitigating the incorrect access control flaw.

prevent

AC-14 limits and documents actions permitted without identification or authentication, countering the vulnerability's allowance of admin operations by unauthenticated users.

References