Cyber Posture

CVE-2025-7016

High

Published: 29 January 2026

Published
29 January 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0009 24.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7016 is a high-severity Improper Access Control (CWE-284) vulnerability in Akinsoft Qr Menu. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Directly enforces approved access authorizations, preventing improper access control that enables authentication abuse by low-privilege users.

AC-6 Least Privilege partial match
prevent

Applies least privilege to restrict low-privilege (PR:L) accounts from accessing sensitive functions, mitigating the high-impact exploitation.

SI-2 Flaw Remediation good match
prevent

Mandates timely flaw remediation through patching to QR Menu s1.05.12 or later, eliminating the specific improper access control vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Improper access control in public-facing QR Menu web app directly enables remote exploitation for auth bypass and unauthorized access (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Access Control vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Authentication Abuse.This issue affects QR Menu: before s1.05.12.

Deeper analysisAI

CVE-2025-7016 is an Improper Access Control vulnerability in the QR Menu software developed by Akın Software Computer Import Export Industry and Trade Ltd. The flaw enables Authentication Abuse and affects all versions of QR Menu prior to s1.05.12. It has been assigned a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-284 (Improper Access Control) as well as NVD-CWE-Other.

An attacker with low privileges can exploit this vulnerability over the network with low complexity, though it requires user interaction. Successful exploitation grants high impacts on confidentiality, integrity, and availability, potentially allowing the attacker to abuse authentication mechanisms and gain unauthorized access to sensitive functions or data within the QR Menu application.

The advisory at https://www.usom.gov.tr/bildirim/tr-26-0006 provides details on the vulnerability. Mitigation involves updating to QR Menu version s1.05.12 or later, as the issue is fixed in that release.

Details

CWE(s)
CWE-284NVD-CWE-Other

Affected Products

akinsoft
qr menu
≤ s1.05.12

CVEs Like This One

CVE-2025-7015Same product: Akinsoft Qr Menu
CVE-2025-66956Shared CWE-284
CVE-2026-30707Shared CWE-284
CVE-2025-23243Shared CWE-284
CVE-2026-40595Shared CWE-284
CVE-2025-66509Shared CWE-284
CVE-2025-27649Shared CWE-284
CVE-2025-50900Shared CWE-284
CVE-2025-50105Shared CWE-284
CVE-2025-29515Shared CWE-284

References