Cyber Resilience

CVE-2025-2271

High

Published: 13 March 2025

Published
13 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0008 24.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2271 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Issuetrak (inferred from references). Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Information Repositories (T1213); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-2271 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting the audit component in Issuetrak versions 17.2.2 and prior. It stems from improper access controls that enable a low-privileged user to access audit results belonging to other users. This exposure includes sensitive information such as user details, network and hardware data, installed programs, running processes, drives, and printers. The vulnerability carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility and low attack complexity.

A low-privileged authenticated user can exploit this vulnerability remotely without user interaction by manipulating object references in the audit component. Successful exploitation allows the attacker to retrieve audit data from other users' activities, leading to unauthorized data exposure, privacy violations, and potential security risks through the disclosure of system configuration details.

Mitigation details are available in the Issuetrak release notes at https://helpcenter.issuetrak.com/home/2340-issuetrak-release-notes.

EU & UK References

Vulnerability details

A vulnerability exists in Issuetrak v17.2.2 and prior that allows a low-privileged user to access audit results of other users by exploiting an Insecure Direct Object Reference (IDOR) vulnerability in the Issuetrak audit component. The vulnerability enables unauthorized access to…

more

sensitive information, including user details, network and hardware information, installed programs, running processes, drives, and printers. Due to improper access controls, an attacker can retrieve audit data belonging to other users, potentially leading to unauthorized data exposure, privacy violations, and security risks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1213 Data from Information Repositories Collection
Adversaries may leverage information repositories to mine valuable information.
Why these techniques?

The IDOR vulnerability in the audit component directly enables unauthorized access to other users' audit data (including system details, processes, and configurations) stored in the application's information repository.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-5395Shared CWE-639
CVE-2026-41649Shared CWE-639
CVE-2026-28696Shared CWE-639
CVE-2026-38568Shared CWE-639
CVE-2026-45281Shared CWE-639
CVE-2026-40589Shared CWE-639
CVE-2026-7491Shared CWE-639
CVE-2026-45349Shared CWE-639
CVE-2026-40591Shared CWE-639
CVE-2026-33678Shared CWE-639

Affected Assets

Issuetrak
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the improper access enforcement allowing IDOR exploitation in the audit component by requiring approved authorizations for logical access to audit data.

prevent

Implements a tamperproof reference monitor to enforce access control policies on direct object references, preventing low-privileged users from accessing other users' audit results.

prevent

Protects audit information from unauthorized access, modification, and deletion, mitigating the exposure of sensitive audit data belonging to other users via IDOR.

References