CVE-2025-25616
Published: 10 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-25616 is an Incorrect Access Control vulnerability in Unifiedtransform version 2.0, published on 2025-03-10. The flaw allows students to modify rules for exams via the affected endpoint /exams/edit-rule?exam_rule_id=1. It carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) and maps to CWE-284 (Improper Access Control) as well as NVD-CWE-Other.
The vulnerability can be exploited by low-privilege users, such as authenticated students, over the network with low attack complexity and no user interaction required. Exploitation enables modification of exam rules, leading to a low-impact integrity violation while preserving confidentiality and availability.
Advisories and related details are provided in the GitHub repositories at https://github.com/armaansidana2003/CVE-2025-25616 and https://github.com/changeweb/Unifiedtransform.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Incorrect access control vulnerability in public-facing web application (/exams/edit-rule endpoint) allows authenticated low-privilege users (students) to perform unauthorized administrative actions like modifying exam rules, enabling exploitation of public-facing applications (T1190) and exploitation for privilege escalation (T1068).