Cyber Resilience

CVE-2025-65669

CriticalPublic PoC

Published: 26 November 2025

Published
26 November 2025
Modified
03 December 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0022 44.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-65669 is a critical-severity Missing Authorization (CWE-862) vulnerability in Classroomio Classroomio. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 44.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-65669 is a missing authorization vulnerability (CWE-862) discovered in classroomio version 0.1.13, published on 2025-11-26. The flaw allows student accounts to delete courses directly from the Explore page without any authorization or authentication checks, circumventing the intended restriction that limits course deletion to admin users only. It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), indicating high severity due to its potential for significant integrity and availability impacts.

Any unauthenticated attacker (PR:N) can exploit this vulnerability remotely over the network (AV:N) with low complexity and no user interaction required. By accessing the Explore page, an attacker could delete arbitrary courses, disrupting service availability and integrity for all users relying on the platform, as there are no protections enforcing admin privileges for this action.

References include the vendor site at http://classroomio.com and GitHub repositories such as https://github.com/classroomio/classroomio and https://github.com/Rivek619/CVE-2025-65669, which likely contain additional details or proof-of-concept code, though specific mitigation or patch guidance is not detailed in the available information.

EU & UK References

Vulnerability details

An issue was discovered in classroomio 0.1.13. Student accounts are able to delete courses from the Explore page without any authorization or authentication checks, bypassing the expected admin-only deletion restriction.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Broken access control in public-facing web app (classroomio) enables exploitation (T1190), privilege escalation for student accounts to perform admin-only course deletion (T1068), facilitating data destruction (T1485).

CVEs Like This One

CVE-2025-67298Same product: Classroomio Classroomio
CVE-2026-4100Shared CWE-862
CVE-2026-32501Shared CWE-862
CVE-2025-31194Shared CWE-862
CVE-2026-6963Shared CWE-862
CVE-2024-9195Shared CWE-862
CVE-2025-6380Shared CWE-862
CVE-2026-0506Shared CWE-862
CVE-2025-2110Shared CWE-862
CVE-2026-4365Shared CWE-862

Affected Assets

classroomio
classroomio
0.1.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources like course deletion, directly preventing unauthorized students or unauthenticated attackers from bypassing admin-only restrictions.

prevent

Implements least privilege to restrict course deletion exclusively to admin users, mitigating the vulnerability's allowance of student-level unauthorized destructive actions.

prevent

Requires verification of access authorizations prior to permitting actions on system resources, ensuring delete operations on the Explore page check for admin privileges.

References