CVE-2025-27583
Published: 03 March 2025
Summary
CVE-2025-27583 is a critical-severity Missing Authorization (CWE-862) vulnerability in Serosoft Academia Student Information System. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-2 (Account Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires enforcement of approved authorizations for logical access, directly mitigating the incorrect access control allowing unauthenticated creation and modification of user accounts via the vulnerable endpoint.
Explicitly identifies and authorizes only approved actions without identification or authentication, preventing unauthorized account creation and modification on endpoints like /rest/staffResource/findAllUsersAcrossOrg.
Mandates procedures for managing account creation, modification, enabling, and disabling, countering the vulnerability's ability to remotely create or alter user accounts including Administrator ones.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploit of public-facing REST endpoint enables account creation/modification (T1136, T1098) for privilege escalation (T1068) and initial access (T1190).
NVD Description
Incorrect access control in the component /rest/staffResource/findAllUsersAcrossOrg of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows create and modify user accounts, including an Administrator account.
Deeper analysisAI
CVE-2025-27583 is an incorrect access control vulnerability (CWE-862) in the /rest/staffResource/findAllUsersAcrossOrg component of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR version 1.0.118. Published on 2025-03-03, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high confidentiality and integrity impacts with no availability disruption.
Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows remote creation and modification of user accounts, including Administrator accounts, enabling full compromise of the system's access controls, privilege escalation, and potential persistence or lateral movement within the affected SIS environment.
The primary reference points to a GitHub repository at https://github.com/VvV1per/Vulnerability-Research-CVEs/tree/main/CVE-2024-53637 containing vulnerability research details, though specific patch or mitigation guidance is not detailed in available sources. Security practitioners should verify vendor updates for EagleR v1.0.118 and implement network segmentation or access restrictions on the affected endpoint pending remediation.
Details
- CWE(s)