Turtek Eyotek CVE-2025-1469
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Authorization Bypass Through User-Controlled Key vulnerability in Turtek Software Eyotek allows Exploitation of Trusted Identifiers.
This issue affects Eyotek: before 11.03.2025.
AnalysisAI
Information disclosure in Turtek Software's Eyotek product (versions before 11.03.2025) allows remote unauthenticated attackers to access other users' data by manipulating user-controlled identifiers (IDOR-class flaw). The CVSS 7.5 score reflects high confidentiality impact with no integrity or availability impact, and no public exploit identified at time of analysis. The flaw was reported by Turkey's national CERT (USOM) and tracked under advisory TR-25-0163.
Technical ContextAI
The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), a category of Insecure Direct Object Reference (IDOR). The underlying weakness is that Eyotek accepts identifiers (such as record IDs, account numbers, or object references) directly from the client without verifying that the authenticated/requesting party is authorized to access the referenced object. The 'Exploitation of Trusted Identifiers' tag indicates the application assumes that possession or knowledge of a valid-looking identifier implies authorization to use it, bypassing per-object access control checks. Eyotek is a commercial software product from Turkish vendor Turtek Software; no CPE entries are provided in the source data to enumerate exact product editions.
Affected ProductsAI
Turtek Software Eyotek, all versions released before 11.03.2025 (11 March 2025) per the USOM advisory. No CPE strings are provided in the source data, so specific editions, modules, or deployment variants of Eyotek cannot be enumerated from NVD. The authoritative vendor/CERT references are the Turkish national CSIRT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0163 and the parallel USOM bulletin at https://www.usom.gov.tr/bildirim/tr-25-0163.
RemediationAI
Patch available per vendor advisory - upgrade Eyotek to the version released on or after 11.03.2025 (11 March 2025) as referenced in USOM advisory TR-25-0163 (https://www.usom.gov.tr/bildirim/tr-25-0163 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0163); the exact fix version string is not stated in the available data, so confirm the target build directly with Turtek Software. Until upgraded, restrict network exposure of Eyotek to trusted internal networks or VPN only, which trades off remote-user convenience for reduced attack surface, and consider placing a reverse proxy or WAF in front of the application with rules that detect sequential or out-of-range identifier enumeration in URL paths and query parameters - note that WAF rules based on identifier patterns will produce false positives against legitimate bulk users and are not a substitute for the patch. Enable verbose access logging on object-fetch endpoints and monitor for one user-session accessing many distinct object IDs in a short window, accepting the storage and review overhead this entails.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today