Cyber Posture

CVE-2025-9062

High

Published: 19 February 2026

Published
19 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0001 2.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9062 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Gov (inferred from references). Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-24 Access Control Decisions
addresses: CWE-639

Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process.

AC-3 Access Enforcement
addresses: CWE-639

Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Authorization bypass via user-controlled key/parameter injection in Envanty directly enables remote exploitation of a public-facing application for unauthorized data access/modification.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Authorization Bypass Through User-Controlled Key vulnerability in MeCODE Informatics and Engineering Services Ltd. Envanty allows Parameter Injection.This issue affects Envanty: before 1.0.6. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. The vulnerability…

more

was learned to be remediated through reporter information and testing.

Deeper analysisAI

CVE-2025-9062 is an Authorization Bypass Through User-Controlled Key vulnerability in Envanty from MeCODE Informatics and Engineering Services Ltd., which allows Parameter Injection. This issue affects Envanty versions before 1.0.6.

The vulnerability carries a CVSS score of 7.3 (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating exploitation requires adjacent network access, low attack complexity, and low privileges such as an authenticated user, with no user interaction needed. Successful exploitation enables high-impact unauthorized access to confidentiality and integrity, but no availability disruption.

The vendor was contacted early about this disclosure but did not respond. The vulnerability was learned to be remediated through reporter information and testing, implying mitigation via upgrade to Envanty 1.0.6 or later. Additional details are available in the advisory at https://www.usom.gov.tr/bildirim/tr-26-0076.

Details

CWE(s)
CWE-639

Affected Products

Gov
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-40805Shared CWE-639
CVE-2026-4503Shared CWE-639
CVE-2026-40600Shared CWE-639
CVE-2023-53955Shared CWE-639
CVE-2020-36923Shared CWE-639
CVE-2026-33511Shared CWE-639
CVE-2026-39384Shared CWE-639
CVE-2025-14844Shared CWE-639
CVE-2023-53914Shared CWE-639
CVE-2025-10855Shared CWE-639

References