CVE-2025-25950
Published: 03 March 2025
Summary
CVE-2025-25950 is a high-severity Improper Access Control (CWE-284) vulnerability in Serosoft Academia Student Information System. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 31.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces approved authorizations to prevent low-privileged users from creating or modifying user accounts, including Administrator accounts, via the vulnerable /rest/staffResource/update endpoint.
Establishes processes for managing account creation, modification, and deletion to ensure only authorized entities can perform these actions, mitigating unauthorized account changes.
Enforces least privilege to restrict low-privileged users from accessing or executing high-privilege functions like account administration exploited in this vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct improper access control on account management REST endpoint enables unauthorized account creation/modification (T1136/T1098), resulting in privilege escalation (T1068) via exploitation of a network-exposed web application (T1190).
NVD Description
Incorrect access control in the component /rest/staffResource/update of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows create and modify user accounts, including an Administrator account.
Deeper analysisAI
CVE-2025-25950 is an incorrect access control vulnerability affecting the /rest/staffResource/update component in Serosoft Solutions Pvt Ltd's Academia Student Information System (SIS) EagleR version 1.0.118. Published on 2025-03-03, the flaw enables unauthorized creation and modification of user accounts, including Administrator accounts, due to improper enforcement of access controls. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-284 (Improper Access Control).
The vulnerability can be exploited by a low-privileged (PR:L) authenticated user over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation allows the attacker to create or modify accounts, including escalating privileges to Administrator level, resulting in high impacts to confidentiality (C:H) and integrity (I:H) without affecting availability (A:N).
Vulnerability research, including potential proof-of-concepts, is documented in GitHub repositories such as https://github.com/VvV1per/Vulnerability-Research-CVEs/tree/main/CVE-2025-25950, https://github.com/VvV1per/Vulnerability-Research-CVEs/tree/main/CVE-2024-89637, and https://github.com/el-viper/cve-research/tree/main/CVEs/CVE-2025-25950. No official advisories or patches are referenced in available details.
Details
- CWE(s)