CBK Soft enVision CVE-2025-11145
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Observable Discrepancy, Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in CBK Soft Software Hardware Electronic Computer Systems Industry and Trade Inc. EnVision allows Account Footprinting.
This issue affects enVision: before 250566.
AnalysisAI
Information disclosure in CBK Soft enVision before version 250566 allows remote unauthenticated attackers to perform account footprinting by observing response discrepancies, enabling enumeration of valid user accounts and exposure of private personal information. No public exploit identified at time of analysis, and EPSS scoring (0.04%, 14th percentile) indicates very low near-term exploitation probability despite the High CVSS rating of 7.5.
Technical ContextAI
enVision is a product from CBK Soft (Software Hardware Electronic Computer Systems Industry and Trade Inc.), a Turkish vendor producing enterprise software. The flaw is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and stems from an observable discrepancy - the application returns differing responses (status codes, content, timing, or error messages) depending on whether a queried account exists. This side-channel allows attackers to enumerate valid user accounts (account footprinting), a common precursor to credential stuffing, password spraying, and targeted phishing. The flaw was coordinated through Turkey's national CSIRT, USOM (Ulusal Siber Olaylara Müdahale Merkezi).
Affected ProductsAI
CBK Soft enVision in all versions before 250566 is affected; the fixed build is 250566. No CPE strings were provided in the input, and the vendor advisory is published via Turkey's national CERT at https://www.usom.gov.tr/bildirim/tr-25-0361 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0361. Deployment is concentrated in the Turkish enterprise market.
RemediationAI
Upgrade enVision to version 250566 or later as the primary fix; this is the vendor-released patched build referenced by USOM advisory TR-25-0361. Coordinate update planning via the USOM bulletin at https://www.usom.gov.tr/bildirim/tr-25-0361 and the siberguvenlik.gov.tr advisory. As compensating controls until upgrade, restrict network exposure of enVision login, registration, and password-reset endpoints to trusted networks or VPN, implement uniform response semantics at a reverse proxy (normalize status codes, response bodies, and timing for valid vs. invalid identifiers), and add rate-limiting plus monitoring on authentication-adjacent endpoints to detect enumeration attempts - note that uniform-response proxies can mask legitimate error feedback to users and require careful tuning.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today