Cyber Resilience

CVE-2025-25614

HighPublic PoC

Published: 10 March 2025

Published
10 March 2025
Modified
23 June 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0040 61.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25614 is a high-severity Improper Access Control (CWE-284) vulnerability in Changeweb Unifiedtransform. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 38.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-25614 is an incorrect access control vulnerability in Unifiedtransform version 2.0 that enables privilege escalation. It allows authenticated teachers to update the personal data of other teachers, violating intended role-based access restrictions. The issue is classified under CWE-284 (Improper Access Control) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

The vulnerability can be exploited by low-privileged network users, such as authenticated teachers (PR:L), with low attack complexity and no user interaction required. Attackers can escalate privileges to modify sensitive personal data of fellow teachers, potentially leading to unauthorized data alterations across the system given the high impact ratings in confidentiality, integrity, and availability.

Advisories and further details are available in the provided references, including the CVE disclosure repository at https://github.com/armaansidana2003/CVE-2025-25614 and the Unifiedtransform project at https://github.com/changeweb/Unifiedtransform.

EU & UK References

Vulnerability details

Incorrect Access Control in Unifiedtransform 2.0 leads to Privilege Escalation, which allows teachers to update the personal data of fellow teachers.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Incorrect access control enables authenticated low-privilege users (teachers) to perform admin-only actions like editing other teachers' personal data, facilitating exploitation for privilege escalation.

CVEs Like This One

CVE-2025-25616Same product: Changeweb Unifiedtransform
CVE-2024-53573Same product: Changeweb Unifiedtransform
CVE-2026-48898Shared CWE-284
CVE-2026-25176Shared CWE-284
CVE-2026-48899Shared CWE-284
CVE-2026-37526Shared CWE-284
CVE-2024-56883Shared CWE-284
CVE-2026-42823Shared CWE-284
CVE-2026-0844Shared CWE-284
CVE-2026-41086Shared CWE-284

Affected Assets

changeweb
unifiedtransform
2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations for access to system resources, directly preventing teachers from updating other teachers' personal data due to incorrect access control.

prevent

AC-6 implements least privilege, restricting authenticated teachers to only necessary accesses and blocking privilege escalation to modify fellow teachers' data.

prevent

AC-2 manages accounts and role assignments, mitigating improper privilege configurations that enable cross-teacher data updates.

References