Online Exam Registration CVE-2025-2301
MEDIUMSeverity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Authorization Bypass Through User-Controlled Key vulnerability in Akbim Software Online Exam Registration allows Exploitation of Trusted Identifiers.
This issue affects Online Exam Registration: before 14.03.2025.
AnalysisAI
Authorization bypass in Akbim Software Online Exam Registration allows a highly privileged, remote attacker to access confidential exam registration data belonging to other users by manipulating user-controlled identifier keys. Affected versions are all releases prior to 14.03.2025. No public exploit code has been identified at time of analysis, and EPSS exploitation probability stands at just 0.17%, reflecting low observed threat activity despite the confidentiality severity of the flaw.
Technical ContextAI
CWE-639 (Authorization Bypass Through User-Controlled Key) describes an Insecure Direct Object Reference (IDOR) pattern: the application uses user-supplied identifiers - such as numeric record IDs, student registration numbers, or exam session tokens in URLs or request parameters - as the sole control for authorizing access to protected resources, without independently verifying that the authenticated session holds rights to the referenced object. Akbim Software's Online Exam Registration is a Turkish-market academic exam enrollment platform; the flaw resides in its server-side authorization layer, which trusts attacker-controlled key values rather than enforcing server-side ownership checks. The CVSS vector (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N) confirms the vulnerability is reachable over the network, produces high confidentiality impact, but requires high pre-existing privileges and high attack complexity to trigger, narrowing the realistic attacker population considerably.
Affected ProductsAI
Akbim Software Online Exam Registration all versions prior to 14.03.2025 are affected. No specific CPE string was provided in the NVD data. The vulnerability was reported and documented by the Turkish National Cyber Incident Response Center (USOM) under advisory TR-25-0164, available at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0164 and https://www.usom.gov.tr/bildirim/tr-25-0164. No further version granularity (e.g., major/minor build numbers) is available from the provided data.
RemediationAI
Update Akbim Software Online Exam Registration to the version released on or after 14.03.2025, which constitutes the vendor-confirmed remediation boundary per the NVD advisory. The fix version is described by release date rather than a semantic version number, so administrators should contact Akbim Software directly to obtain the specific patched build. The Turkish USOM advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0164 provides the authoritative vendor guidance. If immediate patching is not possible, restrict administrative and privileged accounts to the minimum number of users required for operations, and audit access logs for anomalous cross-user record lookups. Placing the application behind a reverse proxy with application-layer session validation for object-level access, or implementing network-level access controls to limit who can reach the administrative interface, can reduce exposure - but neither addresses the root IDOR flaw. Note that these compensating controls carry operational overhead and may interrupt legitimate workflows.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today