CVE-2025-0849

MediumPublic PoC

Published: 30 January 2025

Published

30 January 2025

Modified

04 February 2025

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0003 10.1th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0849 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Campcodes School Management Software. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to the Staff Handler /edit-staff/ function, directly preventing low-privileged users from performing unauthorized staff edits.

AC-6 Least Privilege good match

prevent

Implements least privilege to restrict teacher accounts from accessing or modifying super admin staff data via the vulnerable endpoint.

AC-5 Separation of Duties partial match

prevent

Enforces separation of duties to mitigate incorrect privilege assignments that enable role escalations like teacher to super admin in the Staff Handler.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1087.001 Local Account Discovery

Adversaries may attempt to get a listing of local system accounts.

attack.mitre.org →

T1098 Account Manipulation Persistence

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.

attack.mitre.org →

T1213.004 Customer Relationship Management Software Collection

Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information.

attack.mitre.org →

Why these techniques?

The IDOR vulnerability enables low-privileged teacher accounts to discover sensitive super admin details (T1087.001, T1213.004 in CRM software) and perform unauthorized updates to admin account data (T1098), facilitating privilege escalation via improper authorization exploitation (T1068).

NVD Description

A vulnerability classified as critical has been found in CampCodes School Management Software 1.0. Affected is an unknown function of the file /edit-staff/ of the component Staff Handler. The manipulation leads to improper authorization. It is possible to launch the…

attack remotely. The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2025-0849 is a critical improper authorization vulnerability in CampCodes School Management Software version 1.0. The issue affects an unknown function within the /edit-staff/ file of the Staff Handler component. Published on 2025-01-30T02:15:25.783, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is associated with CWEs 266, 285, and NVD-CWE-noinfo.

A low-privileged remote attacker can exploit this vulnerability with low complexity and no user interaction. Exploitation enables improper authorization, allowing limited impacts on confidentiality, integrity, and availability, such as unauthorized data exposure and updates.

Advisories detail the issue on VulDB (ctiid.294012, id.294012, submit.487618), with a GitHub PDF describing sensitive super admin data exposure and unauthorized updates via IDOR from teacher to super admin roles. The vendor site is campcodes.com. The exploit has been publicly disclosed and may be used.

Details

CWE(s): CWE-266 CWE-285 NVD-CWE-noinfo

Affected Products

campcodes

school management software

1.0

CVEs Like This One

CVE-2025-7470Same vendor: Campcodes

CVE-2025-7183Same vendor: Campcodes

CVE-2025-7218Same vendor: Campcodes

CVE-2025-7538Same vendor: Campcodes

CVE-2025-0212Same vendor: Campcodes

CVE-2025-0211Same vendor: Campcodes

CVE-2025-7219Same vendor: Campcodes

CVE-2025-9744Same vendor: Campcodes

CVE-2025-7220Same vendor: Campcodes

CVE-2025-1847Shared CWE-266, CWE-285

References

https://github.com/KhukuriRimal/Vulnerabilities/blob/main/Sensitive%20Super%20Admin%20Data%20Exposure%20and%20Unauthorized%20Data%20Update%20via%20IDOR%20(Teacher%20Role%20to%20Super%20Admin%20Role).pdf
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.294012
Permissions Required · cna@vuldb.com
https://vuldb.com/?id.294012
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.487618
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.campcodes.com/
Product · cna@vuldb.com