CVE-2025-11661
Published: 13 October 2025
Summary
CVE-2025-11661 is a medium-severity Improper Authentication (CWE-287) vulnerability in Oranbyte School Management System. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 49.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
CVE-2025-11661 is a missing authentication vulnerability (CWE-287, CWE-306) discovered in the ProjectsAndPrograms School Management System up to commit 6b6fae5426044f89c08d0dd101c7fa71f9042a59. The issue affects an unknown part of the software, where manipulation leads to authentication bypass.
Attackers can exploit this vulnerability remotely without privileges or user interaction, as indicated by its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Unauthenticated remote actors can achieve limited impacts on confidentiality, integrity, and availability. A public exploit exists and could be used against vulnerable instances.
Advisories documented on VulDB (ctiid.328078, id.328078, submit.665611) and a GitHub issue (qqy-123/cve/issues/6) detail the flaw, published on 2025-10-13. The product follows a rolling release strategy for continuous delivery, implying security practitioners should monitor the repository for updates beyond the affected commit.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-33957
Vulnerability details
A vulnerability was found in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. This affects an unknown part. Performing manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has been made public and could…
more
be used. This product adopts a rolling release strategy to maintain continuous delivery
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication in public-facing School Management System (CRM) enables remote exploitation for initial access and privilege escalation to admin functions, unauthorized collection from CRM software, and manipulation of stored data like student/teacher records.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication requirements before granting access, blocking the authentication bypass exploited by CVE-2025-11661.
Requires unique identification and authentication of organizational users prior to system access, directly mitigating the missing authentication flaw.
Mandates authentication and access controls for all remote connections, limiting the unauthenticated remote exploitation described in the CVE.