Nomysem CVE-2025-1161
HIGHSeverity by source
AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Incorrect Use of Privileged APIs vulnerability in NomySoft Information Technology Training and Consulting Inc. Nomysem allows Privilege Escalation.
This issue affects Nomysem: through May 2025.
AnalysisAI
Privilege escalation in NomySoft Nomysem (versions through May 2025) allows remote attackers with low privileges to gain elevated rights by abusing improperly used privileged APIs. The CVSS 7.1 score reflects high attack complexity and required user interaction, and no public exploit identified at time of analysis tempers immediate risk despite the high impact ceiling.
Technical ContextAI
Nomysem is a product from NomySoft Information Technology Training and Consulting Inc., a Turkish vendor whose advisory is coordinated through USOM (the Turkish National Computer Emergency Response Team). The root cause is CWE-648 (Incorrect Use of Privileged APIs), a weakness class in which an application invokes APIs that grant elevated capabilities without adequately restricting who can reach those code paths or how their inputs are validated. In practice this typically means a privileged operation (administrative function, system-level API call, or trusted backend method) is reachable from a lower-trust context, allowing a caller to perform actions outside their assigned role. No CPE strings were published in the input, so the precise component, language, or framework hosting the privileged API cannot be pinned down from the available intelligence.
Affected ProductsAI
NomySoft Information Technology Training and Consulting Inc. Nomysem is affected in all versions through May 2025, per the NVD record. No CPE string was published in the source data, and no specific edition, module, or deployment mode is named. Vendor and national CERT advisories are published at https://www.usom.gov.tr/bildirim/tr-25-0440 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0440, which are the authoritative references for confirming impacted builds.
RemediationAI
No vendor-released patch identified at time of analysis from the provided references; administrators should consult the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0440 and the mirror at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0440 to obtain the fixed build directly from NomySoft, since the coordinated disclosure went through USOM. Until a patched version is confirmed, restrict the Nomysem application to trusted internal networks via firewall or VPN to neutralize the AV:N requirement (side effect: remote users lose direct access and require VPN onboarding), enforce least privilege by auditing and pruning low-privileged accounts so the PR:L precondition is harder to satisfy (side effect: legitimate self-service workflows may need re-provisioning), and disable or block any non-essential interactive features that could be used to satisfy the UI:R requirement against staff users (side effect: reduced functionality for end users). Increase monitoring for anomalous privileged API calls and role changes within Nomysem audit logs to detect exploitation attempts while a vendor fix is pending.
Same weakness CWE-648 – Incorrect Use of Privileged APIs
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today