Cyber Resilience

CVE-2025-25616

Medium

Published: 10 March 2025

Published
10 March 2025
Modified
13 March 2025
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0057 69.1th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25616 is a medium-severity Improper Access Control (CWE-284) vulnerability in Changeweb Unifiedtransform. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 30.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-25616 is an Incorrect Access Control vulnerability in Unifiedtransform version 2.0, published on 2025-03-10. The flaw allows students to modify rules for exams via the affected endpoint /exams/edit-rule?exam_rule_id=1. It carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) and maps to CWE-284 (Improper Access Control) as well as NVD-CWE-Other.

The vulnerability can be exploited by low-privilege users, such as authenticated students, over the network with low attack complexity and no user interaction required. Exploitation enables modification of exam rules, leading to a low-impact integrity violation while preserving confidentiality and availability.

Advisories and related details are provided in the GitHub repositories at https://github.com/armaansidana2003/CVE-2025-25616 and https://github.com/changeweb/Unifiedtransform.

EU & UK References

Vulnerability details

Unifiedtransform 2.0 is vulnerable to Incorrect Access Control, which allows students to modify rules for exams. The affected endpoint is /exams/edit-rule?exam_rule_id=1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Incorrect access control vulnerability in public-facing web application (/exams/edit-rule endpoint) allows authenticated low-privilege users (students) to perform unauthorized administrative actions like modifying exam rules, enabling exploitation of public-facing applications (T1190) and exploitation for privilege escalation (T1068).

CVEs Like This One

CVE-2025-25614Same product: Changeweb Unifiedtransform
CVE-2024-53573Same product: Changeweb Unifiedtransform
CVE-2025-29315Shared CWE-284
CVE-2025-55261Shared CWE-284
CVE-2026-21636Shared CWE-284
CVE-2025-57130Shared CWE-284
CVE-2024-53348Shared CWE-284
CVE-2025-20229Shared CWE-284
CVE-2026-24300Shared CWE-284
CVE-2026-20750Shared CWE-284

Affected Assets

changeweb
unifiedtransform
2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access, directly preventing low-privilege students from modifying exam rules via the vulnerable endpoint.

prevent

Employs least privilege to ensure students lack permissions needed to access and edit exam rules.

prevent

Enforces separation of duties between students and exam administrators to restrict unauthorized rule modifications.

References