CVE-2025-11661
Published: 13 October 2025
Summary
CVE-2025-11661 is a high-severity Improper Authentication (CWE-287) vulnerability in Oranbyte School Management System. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 40.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Session content review can reveal authentication bypasses or failures in session establishment.
Assessments check authentication mechanisms for correct implementation and effectiveness, reducing successful authentication bypass attempts.
Documented IA policy and procedures require proper authentication mechanisms to be defined and followed, reducing improper authentication.
Requires adaptive authentication under specific conditions, directly strengthening authentication mechanisms against improper or insufficient authentication.
Identity providers centralize and enforce authentication mechanisms, reducing improper authentication.
Requires unique identification and authentication of organizational users, directly preventing improper authentication.
Enforces unique device identification and authentication before any connection is established, directly mitigating improper authentication weaknesses.
Directly requires implementation of compliant authentication mechanisms to cryptographic modules, preventing improper authentication.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication in public-facing School Management System (CRM) enables remote exploitation for initial access and privilege escalation to admin functions, unauthorized collection from CRM software, and manipulation of stored data like student/teacher records.
NVD Description
A vulnerability was found in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. This affects an unknown part. Performing manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has been made public and could…
more
be used. This product adopts a rolling release strategy to maintain continuous delivery
Deeper analysisAI
CVE-2025-11661 is a missing authentication vulnerability (CWE-287, CWE-306) discovered in the ProjectsAndPrograms School Management System up to commit 6b6fae5426044f89c08d0dd101c7fa71f9042a59. The issue affects an unknown part of the software, where manipulation leads to authentication bypass.
Attackers can exploit this vulnerability remotely without privileges or user interaction, as indicated by its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Unauthenticated remote actors can achieve limited impacts on confidentiality, integrity, and availability. A public exploit exists and could be used against vulnerable instances.
Advisories documented on VulDB (ctiid.328078, id.328078, submit.665611) and a GitHub issue (qqy-123/cve/issues/6) detail the flaw, published on 2025-10-13. The product follows a rolling release strategy for continuous delivery, implying security practitioners should monitor the repository for updates beyond the affected commit.
Details
- CWE(s)