CVE-2025-25614
Published: 10 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-25614 is an incorrect access control vulnerability in Unifiedtransform version 2.0 that enables privilege escalation. It allows authenticated teachers to update the personal data of other teachers, violating intended role-based access restrictions. The issue is classified under CWE-284 (Improper Access Control) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.
The vulnerability can be exploited by low-privileged network users, such as authenticated teachers (PR:L), with low attack complexity and no user interaction required. Attackers can escalate privileges to modify sensitive personal data of fellow teachers, potentially leading to unauthorized data alterations across the system given the high impact ratings in confidentiality, integrity, and availability.
Advisories and further details are available in the provided references, including the CVE disclosure repository at https://github.com/armaansidana2003/CVE-2025-25614 and the Unifiedtransform project at https://github.com/changeweb/Unifiedtransform.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Incorrect access control enables authenticated low-privilege users (teachers) to perform admin-only actions like editing other teachers' personal data, facilitating exploitation for privilege escalation.