Beamsec PhishPro CVE-2025-5997
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Incorrect Use of Privileged APIs vulnerability in Beamsec PhishPro allows Privilege Abuse.
This issue affects PhishPro: before 7.5.4.2.
AnalysisAI
Privilege escalation in Beamsec PhishPro before version 7.5.4.2 allows authenticated low-privileged users to abuse privileged API calls, resulting in full confidentiality, integrity, and availability compromise (CVSS 8.8). The root cause is CWE-648 (Incorrect Use of Privileged APIs), meaning the application exposes or incorrectly gates privileged API operations that low-privileged users can invoke directly. No public exploit exists at time of analysis, and EPSS sits at 0.25% (49th percentile), but the network-accessible, low-complexity attack path warrants prioritized remediation for any internet-facing PhishPro deployment.
Technical ContextAI
PhishPro is a phishing simulation and security awareness platform developed by Beamsec. The vulnerability is classified under CWE-648 (Incorrect Use of Privileged APIs), which describes scenarios where an application incorrectly invokes or exposes privileged API functions without enforcing proper authorization checks - allowing callers with insufficient privilege to trigger high-impact operations. In practice, this typically manifests as missing or bypassable server-side authorization on API endpoints that perform administrative or sensitive operations. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms the flaw is reachable over the network with low privilege and no user interaction, suggesting the vulnerable API surface is exposed through the application's web interface or REST API layer. No CPE strings were provided, but the advisory identifies all PhishPro versions before 7.5.4.2 as affected.
Affected ProductsAI
Beamsec PhishPro all versions prior to 7.5.4.2 are confirmed affected per the vendor advisory published by Turkey's National Cyber Incident Response Center (USOM) at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0181 and https://www.usom.gov.tr/bildirim/tr-25-0181. No CPE strings were included in the available intelligence data, so the affected version boundary is based solely on NVD and USOM advisory data. The advisory does not specify operating system or deployment-mode restrictions, implying all standard PhishPro deployments before 7.5.4.2 are in scope.
RemediationAI
Upgrade PhishPro to version 7.5.4.2 or later, which is the vendor-confirmed fixed release per the USOM advisory (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0181). Organizations unable to patch immediately should restrict access to the PhishPro web interface and API endpoints to trusted internal networks or VPN only, preventing unauthenticated network access that would otherwise lower the barrier to abuse. Additionally, audit existing low-privileged user accounts for anomalous API activity and consider temporarily disabling non-essential user accounts until the patch is applied. Note that network restriction as a compensating control does not eliminate risk from insider threats or compromised low-privilege credentials - patching remains the definitive remediation.
Same weakness CWE-648 – Incorrect Use of Privileged APIs
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today