Skip to main content

CBK Soft enVision CVE-2025-11145

HIGH
Information Exposure (CWE-200)
2025-10-24 iletisim@usom.gov.tr
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 04, 2026 - 20:32 vuln.today

DescriptionCVE.org

Observable Discrepancy, Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in CBK Soft Software Hardware Electronic Computer Systems Industry and Trade Inc. EnVision allows Account Footprinting.

This issue affects enVision: before 250566.

AnalysisAI

Information disclosure in CBK Soft enVision before version 250566 allows remote unauthenticated attackers to perform account footprinting by observing response discrepancies, enabling enumeration of valid user accounts and exposure of private personal information. No public exploit identified at time of analysis, and EPSS scoring (0.04%, 14th percentile) indicates very low near-term exploitation probability despite the High CVSS rating of 7.5.

Technical ContextAI

enVision is a product from CBK Soft (Software Hardware Electronic Computer Systems Industry and Trade Inc.), a Turkish vendor producing enterprise software. The flaw is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and stems from an observable discrepancy - the application returns differing responses (status codes, content, timing, or error messages) depending on whether a queried account exists. This side-channel allows attackers to enumerate valid user accounts (account footprinting), a common precursor to credential stuffing, password spraying, and targeted phishing. The flaw was coordinated through Turkey's national CSIRT, USOM (Ulusal Siber Olaylara Müdahale Merkezi).

Affected ProductsAI

CBK Soft enVision in all versions before 250566 is affected; the fixed build is 250566. No CPE strings were provided in the input, and the vendor advisory is published via Turkey's national CERT at https://www.usom.gov.tr/bildirim/tr-25-0361 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0361. Deployment is concentrated in the Turkish enterprise market.

RemediationAI

Upgrade enVision to version 250566 or later as the primary fix; this is the vendor-released patched build referenced by USOM advisory TR-25-0361. Coordinate update planning via the USOM bulletin at https://www.usom.gov.tr/bildirim/tr-25-0361 and the siberguvenlik.gov.tr advisory. As compensating controls until upgrade, restrict network exposure of enVision login, registration, and password-reset endpoints to trusted networks or VPN, implement uniform response semantics at a reverse proxy (normalize status codes, response bodies, and timing for valid vs. invalid identifiers), and add rate-limiting plus monitoring on authentication-adjacent endpoints to detect enumeration attempts - note that uniform-response proxies can mask legitimate error feedback to users and require careful tuning.

Share

CVE-2025-11145 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy