Skip to main content

SoliClub CVE-2025-7047

MEDIUM
Missing Authorization (CWE-862)
2025-12-18 iletisim@usom.gov.tr
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 05, 2026 - 15:40 vuln.today
CVE Published
Dec 18, 2025 - 15:16 nvd
MEDIUM 4.3

DescriptionCVE.org

Missing Authorization vulnerability in Utarit Informatics Services Inc. SoliClub allows Privilege Abuse.

This issue affects SoliClub: before 5.3.7.

AnalysisAI

Missing authorization controls in the SoliClub Android application (all versions before 5.3.7) allow authenticated low-privilege users to abuse their access and read data beyond their authorization level. The vulnerability, classified as CWE-862, exposes the application to privilege abuse where role or resource-level access checks are absent on one or more network-accessible functions. No public exploit code exists and EPSS stands at 0.03% (10th percentile), indicating no meaningful observed exploitation activity; this is not listed in CISA KEV.

Technical ContextAI

SoliClub is an Android mobile application developed by Utarit Informatics Services Inc., identified by CPE cpe:2.3:a:utarit:soliclub:*:*:*:*:*:android:*:*. The root cause is CWE-862 (Missing Authorization), a server-side or application-level control failure in which the platform authenticates users but neglects to verify that the caller holds the required permission before executing a privileged operation or returning restricted data. This class of flaw commonly manifests in mobile application backends where API endpoints enforce authentication via token but omit role-based or object-level authorization checks, a pattern prevalent in REST APIs consumed by Android clients. The CVSS network attack vector confirms the vulnerable function is reachable over the network rather than requiring local device access.

RemediationAI

Upgrade SoliClub to version 5.3.7 or later, which is confirmed by the NVD description as the first release addressing this missing authorization flaw. Refer to the Turkish USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0466 for vendor-specific deployment guidance. As a compensating control before patching, administrators should audit existing user roles within SoliClub and enforce least-privilege principles by deprovisioning or restricting low-privilege accounts that do not require access to sensitive data - note that over-restricting accounts may impair legitimate user functionality. Additionally, monitoring backend API logs for anomalous access patterns by low-privilege users may help detect attempted exploitation. No workaround fully substitutes for the vendor patch.

Share

CVE-2025-7047 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy