Cyber Resilience

CVE-2025-11661

MediumPublic PoC

Published: 13 October 2025

Published
13 October 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0026 49.5th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11661 is a medium-severity Improper Authentication (CWE-287) vulnerability in Oranbyte School Management System. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 49.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2025-11661 is a missing authentication vulnerability (CWE-287, CWE-306) discovered in the ProjectsAndPrograms School Management System up to commit 6b6fae5426044f89c08d0dd101c7fa71f9042a59. The issue affects an unknown part of the software, where manipulation leads to authentication bypass.

Attackers can exploit this vulnerability remotely without privileges or user interaction, as indicated by its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Unauthenticated remote actors can achieve limited impacts on confidentiality, integrity, and availability. A public exploit exists and could be used against vulnerable instances.

Advisories documented on VulDB (ctiid.328078, id.328078, submit.665611) and a GitHub issue (qqy-123/cve/issues/6) detail the flaw, published on 2025-10-13. The product follows a rolling release strategy for continuous delivery, implying security practitioners should monitor the repository for updates beyond the affected commit.

EU & UK References

Vulnerability details

A vulnerability was found in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. This affects an unknown part. Performing manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has been made public and could…

more

be used. This product adopts a rolling release strategy to maintain continuous delivery

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.004 Customer Relationship Management Software Collection
Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Missing authentication in public-facing School Management System (CRM) enables remote exploitation for initial access and privilege escalation to admin functions, unauthorized collection from CRM software, and manipulation of stored data like student/teacher records.

CVEs Like This One

CVE-2026-7042Shared CWE-287, CWE-306
CVE-2025-58443Shared CWE-287, CWE-306
CVE-2025-11942Shared CWE-287, CWE-306
CVE-2026-6577Shared CWE-287, CWE-306
CVE-2026-6582Shared CWE-287, CWE-306
CVE-2026-6129Shared CWE-287, CWE-306
CVE-2026-5676Shared CWE-287, CWE-306
CVE-2026-4562Shared CWE-287, CWE-306
CVE-2026-7723Shared CWE-287, CWE-306
CVE-2026-5000Shared CWE-287, CWE-306

Affected Assets

oranbyte
school management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication requirements before granting access, blocking the authentication bypass exploited by CVE-2025-11661.

prevent

Requires unique identification and authentication of organizational users prior to system access, directly mitigating the missing authentication flaw.

AC-17 Remote Access partial match
prevent

Mandates authentication and access controls for all remote connections, limiting the unauthenticated remote exploitation described in the CVE.

References