Cyber Posture

CVE-2026-30707

High

Published: 17 March 2026

Published
17 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0004 10.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30707 is a high-severity Improper Access Control (CWE-284) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for logical access to system resources, directly addressing the failure of server-side access controls in the ReviewAnswerDetails PageMethod.

AC-6 Least Privilege good match
prevent

Employs least privilege to restrict low-privilege authenticated users from accessing sensitive answer keys via unauthorized method invocation.

AC-24 Access Control Decisions partial match
prevent

Requires explicit access control decisions for sensitive resources, mitigating unauthorized retrieval of answer keys by ensuring role-based authorization checks.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The CVE describes a remote, authenticated access control bypass in a public-facing SaaS web application (ASP.NET PageMethod) that directly enables exploitation of the externally exposed service to obtain unauthorized sensitive data.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue was discovered in SpeedExam Online Examination System (SaaS) after v.FEV2026. It allows Broken Access Control via the ReviewAnswerDetails ASP.NET PageMethod. Authenticated attackers can bypass client-side restrictions and invoke this method directly to retrieve the full answer key. The…

more

provider states that this issue is "Fixed in [02/2026] backend service update."

Deeper analysisAI

CVE-2026-30707 is a Broken Access Control vulnerability discovered in the SpeedExam Online Examination System (SaaS), affecting versions after v.FEV2026. The flaw exists in the ReviewAnswerDetails ASP.NET PageMethod, which fails to enforce proper server-side access controls, allowing attackers to bypass client-side restrictions.

Authenticated attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). By directly invoking the PageMethod, they can retrieve the full answer key, leading to high impacts on confidentiality (C:H) and integrity (I:H) with no availability impact (A:N), as scored at 8.1 under CVSS v3.1. The issue maps to CWE-284 (Improper Access Control).

The provider states that the vulnerability is fixed in the [02/2026] backend service update. Further details are documented in vulnerability reports available at https://github.com/Maarckz/VulnReports/blob/main/CVE-2026-30707.md and https://github.com/Maarckz/VulnReports/blob/main/SpeedExam%20%28SECOPS.GROUP%29.md.

Details

CWE(s)
CWE-284

CVEs Like This One

CVE-2025-66956Shared CWE-284
CVE-2025-23243Shared CWE-284
CVE-2026-40595Shared CWE-284
CVE-2025-66509Shared CWE-284
CVE-2025-27649Shared CWE-284
CVE-2025-50900Shared CWE-284
CVE-2025-50105Shared CWE-284
CVE-2025-29515Shared CWE-284
CVE-2026-34287Shared CWE-284
CVE-2026-21962Shared CWE-284

References