Skip to main content

Nomysem CVE-2025-1161

HIGH
Incorrect Use of Privileged APIs (CWE-648)
2025-12-10 iletisim@usom.gov.tr
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 06, 2026 - 08:31 vuln.today

DescriptionCVE.org

Incorrect Use of Privileged APIs vulnerability in NomySoft Information Technology Training and Consulting Inc. Nomysem allows Privilege Escalation.

This issue affects Nomysem: through May 2025.

AnalysisAI

Privilege escalation in NomySoft Nomysem (versions through May 2025) allows remote attackers with low privileges to gain elevated rights by abusing improperly used privileged APIs. The CVSS 7.1 score reflects high attack complexity and required user interaction, and no public exploit identified at time of analysis tempers immediate risk despite the high impact ceiling.

Technical ContextAI

Nomysem is a product from NomySoft Information Technology Training and Consulting Inc., a Turkish vendor whose advisory is coordinated through USOM (the Turkish National Computer Emergency Response Team). The root cause is CWE-648 (Incorrect Use of Privileged APIs), a weakness class in which an application invokes APIs that grant elevated capabilities without adequately restricting who can reach those code paths or how their inputs are validated. In practice this typically means a privileged operation (administrative function, system-level API call, or trusted backend method) is reachable from a lower-trust context, allowing a caller to perform actions outside their assigned role. No CPE strings were published in the input, so the precise component, language, or framework hosting the privileged API cannot be pinned down from the available intelligence.

Affected ProductsAI

NomySoft Information Technology Training and Consulting Inc. Nomysem is affected in all versions through May 2025, per the NVD record. No CPE string was published in the source data, and no specific edition, module, or deployment mode is named. Vendor and national CERT advisories are published at https://www.usom.gov.tr/bildirim/tr-25-0440 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0440, which are the authoritative references for confirming impacted builds.

RemediationAI

No vendor-released patch identified at time of analysis from the provided references; administrators should consult the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0440 and the mirror at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0440 to obtain the fixed build directly from NomySoft, since the coordinated disclosure went through USOM. Until a patched version is confirmed, restrict the Nomysem application to trusted internal networks via firewall or VPN to neutralize the AV:N requirement (side effect: remote users lose direct access and require VPN onboarding), enforce least privilege by auditing and pruning low-privileged accounts so the PR:L precondition is harder to satisfy (side effect: legitimate self-service workflows may need re-provisioning), and disable or block any non-essential interactive features that could be used to satisfy the UI:R requirement against staff users (side effect: reduced functionality for end users). Increase monitoring for anomalous privileged API calls and role changes within Nomysem audit logs to detect exploitation attempts while a vendor fix is pending.

Share

CVE-2025-1161 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy