Skip to main content

AxOnboard CVE-2025-13003

HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2025-12-11 iletisim@usom.gov.tr
7.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 04, 2026 - 09:30 vuln.today

DescriptionCVE.org

Authorization Bypass Through User-Controlled Key vulnerability in Aksis Computer Services and Consulting Inc. AxOnboard allows Exploitation of Trusted Identifiers.

This issue affects AxOnboard: from 3.2.0 before 3.3.0.

AnalysisAI

Authorization bypass in Aksis AxOnboard versions 3.2.0 through 3.2.x allows authenticated low-privileged users to manipulate user-controlled identifiers (IDOR pattern) and access or modify resources belonging to other users or tenants. Türkiye's national CSIRT USOM (TR-25-0446) coordinated disclosure, and while no public exploit code has been identified, the high integrity impact in a multi-tenant onboarding platform makes this a meaningful escalation-of-privilege risk for organizations using version 3.2.x.

Technical ContextAI

AxOnboard is an employee/customer onboarding platform developed by Aksis Computer Services and Consulting, typically used to manage identity provisioning workflows. The CWE-639 (Authorization Bypass Through User-Controlled Key) root cause indicates the application accepts an identifier (such as a record ID, user ID, or onboarding token) from the client and uses it to fetch or modify resources without re-verifying that the authenticated session is authorized for that identifier - the classic Insecure Direct Object Reference pattern. The CVSS scope is unchanged (S:U), meaning exploitation stays within the application's authorization boundary but lets one tenant/user act on another tenant/user's data.

Affected ProductsAI

Aksis AxOnboard from version 3.2.0 up to (but not including) 3.3.0 is affected; no CPE strings, vendor advisory URL, or per-component breakdown were supplied in the intelligence input. The only authoritative references available are the Turkish national CSIRT bulletins at https://www.usom.gov.tr/bildirim/tr-25-0446 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0446, both of which describe the same coordinated disclosure (TR-25-0446) reported by iletisim@usom.gov.tr.

RemediationAI

Upgrade AxOnboard to version 3.3.0 or later, which is the first release outside the affected range declared in the CVE record; the fix should be obtained from Aksis directly since no public vendor advisory URL was included in the references. Until the upgrade can be applied, compensating controls include restricting AxOnboard access to trusted internal networks or VPN-only via firewall/reverse-proxy rules (trade-off: blocks legitimate remote onboarding flows), aggressively auditing application logs for users accessing object IDs outside their expected range (trade-off: detective only, not preventive), and tightening account provisioning so the pool of low-privilege users who could abuse the flaw is minimized. Both USOM bulletins (https://www.usom.gov.tr/bildirim/tr-25-0446 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0446) should be consulted for any vendor-published patch details not reflected in NVD.

Share

CVE-2025-13003 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy