CVE-2025-9062
Published: 19 February 2026
Summary
CVE-2025-9062 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Gov (inferred from references). Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-9062 is an Authorization Bypass Through User-Controlled Key vulnerability in Envanty from MeCODE Informatics and Engineering Services Ltd., which allows Parameter Injection. This issue affects Envanty versions before 1.0.6.
The vulnerability carries a CVSS score of 7.3 (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating exploitation requires adjacent network access, low attack complexity, and low privileges such as an authenticated user, with no user interaction needed. Successful exploitation enables high-impact unauthorized access to confidentiality and integrity, but no availability disruption.
The vendor was contacted early about this disclosure but did not respond. The vulnerability was learned to be remediated through reporter information and testing, implying mitigation via upgrade to Envanty 1.0.6 or later. Additional details are available in the advisory at https://www.usom.gov.tr/bildirim/tr-26-0076.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207678
Vulnerability details
Authorization Bypass Through User-Controlled Key vulnerability in MeCODE Informatics and Engineering Services Ltd. Envanty allows Parameter Injection. This issue affects Envanty: before 1.0.6. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. The…
more
vulnerability was learned to be remediated through reporter information and testing.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass via user-controlled key/parameter injection in Envanty directly enables remote exploitation of a public-facing application for unauthorized data access/modification.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations on user-controlled keys/parameters, blocking the authorization bypass that enables parameter injection.
Restricts privileges so authenticated users cannot access or manipulate arbitrary keys/parameters beyond their assigned scope.
Validates all user-supplied parameters and keys before use, preventing the injection that leads to unauthorized access.