CVE-2025-7347

High

Published: 10 February 2026

Published

10 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 18.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7347 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Gov (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved authorizations for access to system resources, directly preventing authorization bypass via exploitation of trusted identifiers.

SI-10 Information Input Validation good match

prevent

SI-10 validates and sanitizes user-controlled inputs such as keys and identifiers, blocking exploitation of unverified trusted identifiers in authorization decisions.

AC-6 Least Privilege partial match

prevent

AC-6 applies least privilege to limit the scope and impact of access granted through a successful authorization bypass by low-privileged users.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Authz bypass via user-controlled key (IDOR) directly enables unauthorized resource access/modification by low-priv remote users, mapping to privilege escalation exploitation and public-facing app exploitation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Authorization Bypass Through User-Controlled Key vulnerability in Dinibh Puzzle Software Solutions Dinibh Patrol Tracking System allows Exploitation of Trusted Identifiers.This issue affects Dinibh Patrol Tracking System: through 10022026. NOTE: The vendor was contacted early about this disclosure but did not…

respond in any way.

Deeper analysisAI

CVE-2025-7347 is an Authorization Bypass Through User-Controlled Key vulnerability (CWE-639) in the Dinibh Patrol Tracking System from Dinibh Puzzle Software Solutions. The flaw allows exploitation of trusted identifiers and affects all versions of the software through 10022026.

With a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), the vulnerability can be exploited remotely by low-privileged authenticated users with low attack complexity and no user interaction required. Successful exploitation enables attackers to bypass authorization controls, resulting in high impacts to confidentiality, integrity, and availability.

An advisory detailing the issue is available from USOM at https://www.usom.gov.tr/bildirim/tr-26-0051. The vendor was contacted early regarding disclosure but did not respond, and no patches or mitigations are referenced.