Skip to main content

Beamsec PhishPro CVE-2025-5997

HIGH
Incorrect Use of Privileged APIs (CWE-648)
2025-07-28 iletisim@usom.gov.tr
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 15:36 vuln.today

DescriptionCVE.org

Incorrect Use of Privileged APIs vulnerability in Beamsec PhishPro allows Privilege Abuse.

This issue affects PhishPro: before 7.5.4.2.

AnalysisAI

Privilege escalation in Beamsec PhishPro before version 7.5.4.2 allows authenticated low-privileged users to abuse privileged API calls, resulting in full confidentiality, integrity, and availability compromise (CVSS 8.8). The root cause is CWE-648 (Incorrect Use of Privileged APIs), meaning the application exposes or incorrectly gates privileged API operations that low-privileged users can invoke directly. No public exploit exists at time of analysis, and EPSS sits at 0.25% (49th percentile), but the network-accessible, low-complexity attack path warrants prioritized remediation for any internet-facing PhishPro deployment.

Technical ContextAI

PhishPro is a phishing simulation and security awareness platform developed by Beamsec. The vulnerability is classified under CWE-648 (Incorrect Use of Privileged APIs), which describes scenarios where an application incorrectly invokes or exposes privileged API functions without enforcing proper authorization checks - allowing callers with insufficient privilege to trigger high-impact operations. In practice, this typically manifests as missing or bypassable server-side authorization on API endpoints that perform administrative or sensitive operations. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms the flaw is reachable over the network with low privilege and no user interaction, suggesting the vulnerable API surface is exposed through the application's web interface or REST API layer. No CPE strings were provided, but the advisory identifies all PhishPro versions before 7.5.4.2 as affected.

Affected ProductsAI

Beamsec PhishPro all versions prior to 7.5.4.2 are confirmed affected per the vendor advisory published by Turkey's National Cyber Incident Response Center (USOM) at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0181 and https://www.usom.gov.tr/bildirim/tr-25-0181. No CPE strings were included in the available intelligence data, so the affected version boundary is based solely on NVD and USOM advisory data. The advisory does not specify operating system or deployment-mode restrictions, implying all standard PhishPro deployments before 7.5.4.2 are in scope.

RemediationAI

Upgrade PhishPro to version 7.5.4.2 or later, which is the vendor-confirmed fixed release per the USOM advisory (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0181). Organizations unable to patch immediately should restrict access to the PhishPro web interface and API endpoints to trusted internal networks or VPN only, preventing unauthenticated network access that would otherwise lower the barrier to abuse. Additionally, audit existing low-privileged user accounts for anomalous API activity and consider temporarily disabling non-essential user accounts until the patch is applied. Note that network restriction as a compensating control does not eliminate risk from insider threats or compromised low-privilege credentials - patching remains the definitive remediation.

Share

CVE-2025-5997 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy