SoliClub
CVE-2025-7047
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in Utarit Informatics Services Inc. SoliClub allows Privilege Abuse.
This issue affects SoliClub: before 5.3.7.
AnalysisAI
Missing authorization controls in the SoliClub Android application (all versions before 5.3.7) allow authenticated low-privilege users to abuse their access and read data beyond their authorization level. The vulnerability, classified as CWE-862, exposes the application to privilege abuse where role or resource-level access checks are absent on one or more network-accessible functions. No public exploit code exists and EPSS stands at 0.03% (10th percentile), indicating no meaningful observed exploitation activity; this is not listed in CISA KEV.
Technical ContextAI
SoliClub is an Android mobile application developed by Utarit Informatics Services Inc., identified by CPE cpe:2.3:a:utarit:soliclub:*:*:*:*:*:android:*:*. The root cause is CWE-862 (Missing Authorization), a server-side or application-level control failure in which the platform authenticates users but neglects to verify that the caller holds the required permission before executing a privileged operation or returning restricted data. This class of flaw commonly manifests in mobile application backends where API endpoints enforce authentication via token but omit role-based or object-level authorization checks, a pattern prevalent in REST APIs consumed by Android clients. The CVSS network attack vector confirms the vulnerable function is reachable over the network rather than requiring local device access.
RemediationAI
Upgrade SoliClub to version 5.3.7 or later, which is confirmed by the NVD description as the first release addressing this missing authorization flaw. Refer to the Turkish USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0466 for vendor-specific deployment guidance. As a compensating control before patching, administrators should audit existing user roles within SoliClub and enforce least-privilege principles by deprovisioning or restricting low-privilege accounts that do not require access to sensitive data - note that over-restricting accounts may impair legitimate user functionality. Additionally, monitoring backend API logs for anomalous access patterns by low-privilege users may help detect attempted exploitation. No workaround fully substitutes for the vendor patch.
Authorization Bypass Through User-Controlled Key, Missing Authorization vulnerability in Utarit Information SoliClub all
Authorization Bypass Through User-Controlled Key vulnerability in Utarit Information SoliClub allows Exploiting Incorrec
Hard-coded credentials in Utarit Informatics SoliClub Android application versions prior to 5.3.7 allow remote unauthent
Authorization bypass in Utarit Informatics SoliClub Android application versions 5.2.4 through 5.3.6 allows remote unaut
Hard-coded credentials in Utarit Information Services SoliClub Android app (versions 5.2.4 through 5.3.7) allow remote u
Information disclosure in Utarit Informatics SoliClub Android app versions 5.2.4 through 5.3.6 allows remote unauthentic
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today