CVE-2025-8322
Published: 30 July 2025
Summary
CVE-2025-8322 is a high-severity Missing Authorization (CWE-862) vulnerability in Org (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 30.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-8322 is a Missing Authorization vulnerability (CWE-862) affecting the e-School software from Ventem. Published on 2025-07-30, it has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue enables remote attackers possessing regular privileges to bypass authorization checks and access administrator functions.
Attackers with low-privilege (regular user) accounts can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants them the ability to create, modify, and delete accounts, including escalating any account to system administrator privileges, resulting in high impacts on confidentiality, integrity, and availability.
Advisories from TWCERT/CC provide further details on mitigation, available at https://www.twcert.org.tw/en/cp-139-10305-2eca0-2.html and https://www.twcert.org.tw/tw/cp-132-10304-6b375-1.html.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23146
Vulnerability details
The e-School from Ventem has a Missing Authorization vulnerability, allowing remote attackers with regular privilege to access administrator functions, including creating, modifying, and deleting accounts. They can even escalate any account to system administrator privilege.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (CWE-862) in a remotely accessible application directly enables low-privileged users to escalate to administrator privileges and perform account creation/modification/deletion, mapping to Exploitation for Privilege Escalation and Account Manipulation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates enforcement of approved authorizations, addressing the missing authorization checks that allow regular users to access admin functions.
Enforces least privilege to restrict regular users from performing or escalating to administrator actions like account management.
Provides procedures for managing accounts, including creation, modification, deletion, and privilege assignment, to mitigate unauthorized account operations.