CVE-2025-51682
Published: 01 December 2025
Summary
CVE-2025-51682 is a critical-severity Client-Side Enforcement of Server-Side Security (CWE-602) vulnerability in Mjobtime Mjobtime. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires server-side enforcement of access authorizations, directly preventing bypass of client-side authorization logic in mJobtime by ensuring the server validates all requests independently.
Enforces least privilege on administrative functions, limiting the scope and impact of unauthorized access gained through client-side tampering or crafted requests.
Validates all information inputs to administrative endpoints server-side, blocking crafted requests derived from analysis of client-side code.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a client-side authorization bypass in a network-accessible time management application, directly enabling exploitation of a public-facing application for unauthorized administrative access.
NVD Description
mJobtime 15.7.2 handles authorization on the client side, which allows an attacker to modify the client-side code and gain access to administrative features. Additionally, they can craft requests based on the client-side code to call these administrative functions directly.
Deeper analysisAI
CVE-2025-51682 is a critical client-side authorization vulnerability (CWE-602) in mJobtime 15.7.2, a time management software. The flaw arises because authorization logic is enforced solely on the client side, allowing attackers to modify client-side code and bypass restrictions to access administrative features. Attackers can also analyze the client-side code to craft direct requests that invoke these administrative functions on the server. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to network accessibility, low complexity, and lack of prerequisites.
Unauthenticated attackers with network access can exploit this vulnerability without user interaction. By tampering with client-side code in their browser or using tools to intercept and modify requests, they gain unauthorized access to administrative capabilities. Direct request forging based on client-side logic enables remote invocation of sensitive server-side functions, potentially compromising confidentiality, integrity, and availability of the system.
Advisories detailing the vulnerability, including potential mitigations, are available from InfoGuard Labs at https://labs.infoguard.ch/advisories/cve-2025-51682_cve-2025-51683_time_management_softare_sqli-rce/ (covering CVE-2025-51682 and CVE-2025-51683) and the vendor site at http://mjobtime.com. The CVE was published on 2025-12-01.
Details
- CWE(s)