Cyber Posture

CVE-2025-25616

Medium

Published: 10 March 2025

Published
10 March 2025
Modified
13 March 2025
KEV Added
Patch
CVSS Score 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0057 68.8th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25616 is a medium-severity Improper Access Control (CWE-284) vulnerability in Changeweb Unifiedtransform. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 31.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for logical access, directly preventing low-privilege students from modifying exam rules via the vulnerable endpoint.

AC-6 Least Privilege good match
prevent

Employs least privilege to ensure students lack permissions needed to access and edit exam rules.

AC-5 Separation of Duties partial match
prevent

Enforces separation of duties between students and exam administrators to restrict unauthorized rule modifications.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Incorrect access control vulnerability in public-facing web application (/exams/edit-rule endpoint) allows authenticated low-privilege users (students) to perform unauthorized administrative actions like modifying exam rules, enabling exploitation of public-facing applications (T1190) and exploitation for privilege escalation (T1068).

NVD Description

Unifiedtransform 2.0 is vulnerable to Incorrect Access Control, which allows students to modify rules for exams. The affected endpoint is /exams/edit-rule?exam_rule_id=1.

Deeper analysisAI

CVE-2025-25616 is an Incorrect Access Control vulnerability in Unifiedtransform version 2.0, published on 2025-03-10. The flaw allows students to modify rules for exams via the affected endpoint /exams/edit-rule?exam_rule_id=1. It carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) and maps to CWE-284 (Improper Access Control) as well as NVD-CWE-Other.

The vulnerability can be exploited by low-privilege users, such as authenticated students, over the network with low attack complexity and no user interaction required. Exploitation enables modification of exam rules, leading to a low-impact integrity violation while preserving confidentiality and availability.

Advisories and related details are provided in the GitHub repositories at https://github.com/armaansidana2003/CVE-2025-25616 and https://github.com/changeweb/Unifiedtransform.

Details

CWE(s)
NVD-CWE-OtherCWE-284

Affected Products

changeweb
unifiedtransform
2.0

CVEs Like This One

CVE-2025-25614Same product: Changeweb Unifiedtransform
CVE-2024-53573Same product: Changeweb Unifiedtransform
CVE-2025-53763Shared CWE-284
CVE-2026-20750Shared CWE-284
CVE-2026-22011Shared CWE-284
CVE-2025-55261Shared CWE-284
CVE-2025-25500Shared CWE-284
CVE-2025-70064Shared CWE-284
CVE-2025-55244Shared CWE-284
CVE-2025-24411Shared CWE-284

References