Cyber Posture

CVE-2025-25614

HighPublic PoC

Published: 10 March 2025

Published
10 March 2025
Modified
23 June 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0040 61.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25614 is a high-severity Improper Access Control (CWE-284) vulnerability in Changeweb Unifiedtransform. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 39.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

AC-3 enforces approved authorizations for access to system resources, directly preventing teachers from updating other teachers' personal data due to incorrect access control.

AC-6 Least Privilege good match
prevent

AC-6 implements least privilege, restricting authenticated teachers to only necessary accesses and blocking privilege escalation to modify fellow teachers' data.

AC-2 Account Management partial match
prevent

AC-2 manages accounts and role assignments, mitigating improper privilege configurations that enable cross-teacher data updates.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Incorrect access control enables authenticated low-privilege users (teachers) to perform admin-only actions like editing other teachers' personal data, facilitating exploitation for privilege escalation.

NVD Description

Incorrect Access Control in Unifiedtransform 2.0 leads to Privilege Escalation, which allows teachers to update the personal data of fellow teachers.

Deeper analysisAI

CVE-2025-25614 is an incorrect access control vulnerability in Unifiedtransform version 2.0 that enables privilege escalation. It allows authenticated teachers to update the personal data of other teachers, violating intended role-based access restrictions. The issue is classified under CWE-284 (Improper Access Control) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

The vulnerability can be exploited by low-privileged network users, such as authenticated teachers (PR:L), with low attack complexity and no user interaction required. Attackers can escalate privileges to modify sensitive personal data of fellow teachers, potentially leading to unauthorized data alterations across the system given the high impact ratings in confidentiality, integrity, and availability.

Advisories and further details are available in the provided references, including the CVE disclosure repository at https://github.com/armaansidana2003/CVE-2025-25614 and the Unifiedtransform project at https://github.com/changeweb/Unifiedtransform.

Details

CWE(s)
CWE-284

Affected Products

changeweb
unifiedtransform
2.0

CVEs Like This One

CVE-2025-25616Same product: Changeweb Unifiedtransform
CVE-2024-53573Same product: Changeweb Unifiedtransform
CVE-2025-54914Shared CWE-284
CVE-2025-21359Shared CWE-284
CVE-2025-24042Shared CWE-284
CVE-2026-2311Shared CWE-284
CVE-2026-0844Shared CWE-284
CVE-2026-23856Shared CWE-284
CVE-2026-35242Shared CWE-284
CVE-2025-24994Shared CWE-284

References