Skip to main content

ApplyLogic CVE-2025-13124

HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2025-12-11 iletisim@usom.gov.tr
7.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 04, 2026 - 07:34 vuln.today

DescriptionCVE.org

Authorization Bypass Through User-Controlled Key vulnerability in Netiket Information Technologies Ltd. Co. ApplyLogic allows Exploitation of Trusted Identifiers.

This issue affects ApplyLogic: through 01.12.2025.

AnalysisAI

Authorization bypass in Netiket Information Technologies' ApplyLogic platform (all versions through 01.12.2025) allows authenticated remote attackers to manipulate user-controlled identifiers to access or modify resources belonging to other users. The flaw is classified as an Insecure Direct Object Reference (IDOR) pattern with high integrity impact, and no public exploit has been identified at time of analysis. EPSS exploitation probability is low (0.07%, 22nd percentile), and the CVE is not on the CISA KEV list.

Technical ContextAI

The weakness is CWE-639 (Authorization Bypass Through User-Controlled Key), a class of IDOR vulnerability where the application relies on a request parameter such as a record ID, account number, or token to identify the target resource without verifying that the authenticated caller is authorized to act on that resource. ApplyLogic is a Turkish-market business application platform developed by Netiket Information Technologies; no CPE strings are published in the provided data, so the exact affected components within the suite are not enumerated. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L) indicates a network-reachable endpoint where a low-privileged, authenticated user can tamper with identifiers in API or web requests to reach data and operations belonging to other tenants or users.

Affected ProductsAI

Netiket Information Technologies Ltd. Co. ApplyLogic is affected in all versions through 01.12.2025 (interpreted as 1 December 2025 per the Turkish dd.mm.yyyy convention used by the reporting CSIRT). No CPE 2.3 string is published in the NVD record provided, and the precise module or endpoint within ApplyLogic is not enumerated in the available data. Vendor and national CSIRT context is published at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0447 and https://www.usom.gov.tr/bildirim/tr-25-0447.

RemediationAI

No vendor-released patch version is identified at time of analysis in the provided data; operators should contact Netiket directly and monitor the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0447 and the mirror at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0447 for fixed-version information. Compensating controls while awaiting a fix: enforce per-request server-side authorization checks via a reverse proxy or WAF rule that binds the authenticated session identifier to the resource identifier in each request (trade-off: requires application-aware rules and may break legitimate cross-account workflows); restrict ApplyLogic access to known-good source IPs or VPN to shrink the attacker pool (trade-off: breaks external customer access); enable detailed access logging on object-fetch endpoints and alert on a single session enumerating IDs outside its assigned range (trade-off: detective rather than preventive); and audit existing accounts and disable or rotate any that are dormant or shared, since PR:L means any valid credential is sufficient.

Share

CVE-2025-13124 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy