Cyber Resilience

CVE-2025-9062

HighUpdated

Published: 19 February 2026

Published
19 February 2026
Modified
05 June 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0002 3.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9062 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Gov (inferred from references). Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-9062 is an Authorization Bypass Through User-Controlled Key vulnerability in Envanty from MeCODE Informatics and Engineering Services Ltd., which allows Parameter Injection. This issue affects Envanty versions before 1.0.6.

The vulnerability carries a CVSS score of 7.3 (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating exploitation requires adjacent network access, low attack complexity, and low privileges such as an authenticated user, with no user interaction needed. Successful exploitation enables high-impact unauthorized access to confidentiality and integrity, but no availability disruption.

The vendor was contacted early about this disclosure but did not respond. The vulnerability was learned to be remediated through reporter information and testing, implying mitigation via upgrade to Envanty 1.0.6 or later. Additional details are available in the advisory at https://www.usom.gov.tr/bildirim/tr-26-0076.

EU & UK References

Vulnerability details

Authorization Bypass Through User-Controlled Key vulnerability in MeCODE Informatics and Engineering Services Ltd. Envanty allows Parameter Injection. This issue affects Envanty: before 1.0.6. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. The…

more

vulnerability was learned to be remediated through reporter information and testing.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authorization bypass via user-controlled key/parameter injection in Envanty directly enables remote exploitation of a public-facing application for unauthorized data access/modification.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-50693Shared CWE-639
CVE-2025-69394Shared CWE-639
CVE-2026-41471Shared CWE-639
CVE-2025-58402Shared CWE-639
CVE-2025-68051Shared CWE-639
CVE-2026-4503Shared CWE-639
CVE-2026-43890Shared CWE-639
CVE-2026-25563Shared CWE-639
CVE-2024-8261Shared CWE-639
CVE-2026-3321Shared CWE-639

Affected Assets

Gov
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations on user-controlled keys/parameters, blocking the authorization bypass that enables parameter injection.

prevent

Restricts privileges so authenticated users cannot access or manipulate arbitrary keys/parameters beyond their assigned scope.

prevent

Validates all user-supplied parameters and keys before use, preventing the injection that leads to unauthorized access.

References