CVE-2025-65669
Published: 26 November 2025
Summary
CVE-2025-65669 is a critical-severity Missing Authorization (CWE-862) vulnerability in Classroomio Classroomio. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 44.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources like course deletion, directly preventing unauthorized students or unauthenticated attackers from bypassing admin-only restrictions.
Implements least privilege to restrict course deletion exclusively to admin users, mitigating the vulnerability's allowance of student-level unauthorized destructive actions.
Requires verification of access authorizations prior to permitting actions on system resources, ensuring delete operations on the Explore page check for admin privileges.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Broken access control in public-facing web app (classroomio) enables exploitation (T1190), privilege escalation for student accounts to perform admin-only course deletion (T1068), facilitating data destruction (T1485).
NVD Description
An issue was discovered in classroomio 0.1.13. Student accounts are able to delete courses from the Explore page without any authorization or authentication checks, bypassing the expected admin-only deletion restriction.
Deeper analysisAI
CVE-2025-65669 is a missing authorization vulnerability (CWE-862) discovered in classroomio version 0.1.13, published on 2025-11-26. The flaw allows student accounts to delete courses directly from the Explore page without any authorization or authentication checks, circumventing the intended restriction that limits course deletion to admin users only. It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), indicating high severity due to its potential for significant integrity and availability impacts.
Any unauthenticated attacker (PR:N) can exploit this vulnerability remotely over the network (AV:N) with low complexity and no user interaction required. By accessing the Explore page, an attacker could delete arbitrary courses, disrupting service availability and integrity for all users relying on the platform, as there are no protections enforcing admin privileges for this action.
References include the vendor site at http://classroomio.com and GitHub repositories such as https://github.com/classroomio/classroomio and https://github.com/Rivek619/CVE-2025-65669, which likely contain additional details or proof-of-concept code, though specific mitigation or patch guidance is not detailed in the available information.
Details
- CWE(s)