CVE-2025-11554
Published: 09 October 2025
Summary
CVE-2025-11554 is a low-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Portabilis I-Educar. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 26.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-33561
Vulnerability details
A security vulnerability has been detected in Portabilis i-Educar up to 2.9.10. Affected by this issue is some unknown functionality of the file app/Http/Controllers/AccessLevelController.php of the component User Type Handler. The manipulation leads to insecure inherited permissions. The attack may…
more
be initiated remotely. The exploit has been disclosed publicly and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-11554 enables remote exploitation of a public-facing web application (T1190) for privilege escalation (T1068) via arbitrary modification of user type permissions in AccessLevelController.php.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Designation of a manager and policy dissemination ensures privileges are assigned according to defined roles.
Regular reviews catch incorrect privilege assignments to users, roles, or processes.
Explicitly specifying privileges and group/role memberships for accounts reduces the risk of incorrect privilege assignments.
The control requires explicit definition of separated access authorizations, making incorrect privilege assignments that bundle conflicting duties harder to implement.
Ensures privileges are assigned only as necessary rather than incorrectly over-granted.