Skip to main content

SoliClub CVE-2025-1030

HIGH
Exposure of Private Personal Information to an Unauthorized Actor (CWE-359)
2025-12-18 iletisim@usom.gov.tr
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 06, 2026 - 08:32 vuln.today
CVE Published
Dec 18, 2025 - 15:15 nvd
HIGH 7.5

DescriptionCVE.org

Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Utarit Informatics Services Inc. SoliClub allows Query System for Information.

This issue affects SoliClub: from 5.2.4 before 5.3.7.

AnalysisAI

Information disclosure in Utarit Informatics SoliClub Android app versions 5.2.4 through 5.3.6 allows remote unauthenticated attackers to query the system and retrieve private personal information belonging to other users. The flaw stems from inadequate access controls on a query interface, and while CVSS rates it 7.5 (High), the EPSS probability of exploitation is very low (0.04%, 13th percentile) and no public exploit identified at time of analysis.

Technical ContextAI

SoliClub is an Android mobile application developed by Turkey-based Utarit Informatics Services Inc., identified by CPE cpe:2.3:a:utarit:soliclub:*:*:*:*:*:android:*:*. The root cause is CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor), meaning the application's backend query system exposes PII without enforcing proper authorization checks on who may request which records. This class of weakness typically arises when an API endpoint validates the request format but not whether the requesting user is permitted to access the queried subject's data, enabling enumeration or direct object reference abuse against PII fields.

RemediationAI

Upgrade the SoliClub Android application to version 5.3.7 or later, which is the first release outside the affected range per the NVD version constraint (Vendor-released patch: 5.3.7). Administrators of enterprise mobile fleets should push the update via MDM and verify installed versions; end users should update through the Google Play Store. Until updates are deployed, compensating controls are limited because the issue is server-side query exposure, but operators of the backend should consider temporarily restricting or rate-limiting the affected query endpoint and reviewing access logs for anomalous lookup patterns indicative of PII enumeration - note that rate-limiting will degrade legitimate user experience and is only a stopgap. Consult the USOM advisories at https://www.usom.gov.tr/bildirim/tr-25-0466 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0466 for any vendor-coordinated guidance.

Share

CVE-2025-1030 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy