Turtek Eyotek CVE-2025-5681
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Authorization Bypass Through User-Controlled Key vulnerability in Turtek Software Eyotek allows Exploitation of Trusted Identifiers.
This issue affects Eyotek: before 23.06.2025.
AnalysisAI
Authorization bypass via user-controlled key manipulation in Turtek Software Eyotek exposes sensitive user data to remote attackers without requiring authentication. The vulnerability, classified as CWE-639 (Insecure Direct Object Reference class), permits an attacker to enumerate or substitute trusted identifiers in requests to access resources belonging to other users, resulting in high-confidentiality-impact data disclosure with no integrity or availability effect. Reported by Turkish USOM (iletisim@usom.gov.tr), no public exploit code exists and the EPSS score of 0.20% places this at the 43rd percentile, indicating low current exploitation probability.
Technical ContextAI
CWE-639 (Authorization Bypass Through User-Controlled Key) is a class of Insecure Direct Object Reference (IDOR) vulnerability where the application uses a caller-supplied value - such as a numeric ID, UUID, session token, or document reference embedded in a URL or request parameter - as the direct key for authorizing access to a resource, without independently verifying that the requesting principal owns or has rights to that resource. In Eyotek, a web-based platform developed by Turtek Software, this key is insufficiently validated server-side, allowing substitution with arbitrary values. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms network delivery with low complexity and no privilege requirement on the attacker's part, though user interaction is required per the vector. The scope is unchanged (S:U), meaning exploitation is contained within the application's security boundary.
Affected ProductsAI
Turtek Software Eyotek is affected in all versions released before 23.06.2025. No CPE string is provided in the available intelligence, so exact platform or deployment form (cloud SaaS, on-premises) cannot be confirmed from this data alone. The Turkish USOM advisory (TR-25-0163) published at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0163 and https://www.usom.gov.tr/bildirim/tr-25-0163 serves as the primary reference for affected version scope.
RemediationAI
Upgrade Eyotek to the version released on or after 23.06.2025, as indicated by the fix boundary in the NVD entry and the USOM advisory TR-25-0163 (https://www.usom.gov.tr/bildirim/tr-25-0163). The exact patched build version is not independently confirmed beyond the date reference - organizations should contact Turtek Software directly to obtain the specific patched release identifier. If immediate patching is not feasible, restrict access to the Eyotek application to trusted internal networks or authenticated VPN users only, as this reduces the AV:N attack surface to a controlled environment. Additionally, enable server-side access logging for object identifier lookups to detect anomalous enumeration patterns. Note that VPN-gating alone does not fix the underlying authorization flaw - it only reduces exposure. A server-side fix enforcing ownership validation on every resource key lookup is the only complete remediation.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today