Skip to main content

Online Exam Registration CVE-2025-2301

MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2025-07-21 iletisim@usom.gov.tr
4.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.4 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 06, 2026 - 08:35 vuln.today

DescriptionCVE.org

Authorization Bypass Through User-Controlled Key vulnerability in Akbim Software Online Exam Registration allows Exploitation of Trusted Identifiers.

This issue affects Online Exam Registration: before 14.03.2025.

AnalysisAI

Authorization bypass in Akbim Software Online Exam Registration allows a highly privileged, remote attacker to access confidential exam registration data belonging to other users by manipulating user-controlled identifier keys. Affected versions are all releases prior to 14.03.2025. No public exploit code has been identified at time of analysis, and EPSS exploitation probability stands at just 0.17%, reflecting low observed threat activity despite the confidentiality severity of the flaw.

Technical ContextAI

CWE-639 (Authorization Bypass Through User-Controlled Key) describes an Insecure Direct Object Reference (IDOR) pattern: the application uses user-supplied identifiers - such as numeric record IDs, student registration numbers, or exam session tokens in URLs or request parameters - as the sole control for authorizing access to protected resources, without independently verifying that the authenticated session holds rights to the referenced object. Akbim Software's Online Exam Registration is a Turkish-market academic exam enrollment platform; the flaw resides in its server-side authorization layer, which trusts attacker-controlled key values rather than enforcing server-side ownership checks. The CVSS vector (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N) confirms the vulnerability is reachable over the network, produces high confidentiality impact, but requires high pre-existing privileges and high attack complexity to trigger, narrowing the realistic attacker population considerably.

Affected ProductsAI

Akbim Software Online Exam Registration all versions prior to 14.03.2025 are affected. No specific CPE string was provided in the NVD data. The vulnerability was reported and documented by the Turkish National Cyber Incident Response Center (USOM) under advisory TR-25-0164, available at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0164 and https://www.usom.gov.tr/bildirim/tr-25-0164. No further version granularity (e.g., major/minor build numbers) is available from the provided data.

RemediationAI

Update Akbim Software Online Exam Registration to the version released on or after 14.03.2025, which constitutes the vendor-confirmed remediation boundary per the NVD advisory. The fix version is described by release date rather than a semantic version number, so administrators should contact Akbim Software directly to obtain the specific patched build. The Turkish USOM advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0164 provides the authoritative vendor guidance. If immediate patching is not possible, restrict administrative and privileged accounts to the minimum number of users required for operations, and audit access logs for anomalous cross-user record lookups. Placing the application behind a reverse proxy with application-layer session validation for object-level access, or implementing network-level access controls to limit who can reach the administrative interface, can reduce exposure - but neither addresses the root IDOR flaw. Note that these compensating controls carry operational overhead and may interrupt legitimate workflows.

Share

CVE-2025-2301 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy