CVE-2025-26853

CVE-2025-26853 is a critical vulnerability in DESCOR INFOCAD versions 3.5.1 and prior, stemming from a broken authorization schema as indicated by associated CWEs-863 (Incorrect Authorization) and CWE-862 (Missing Authorization). The issue received a perfect CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), highlighting its severity due to network accessibility, low attack complexity, no required privileges or user interaction, and broad impacts across confidentiality, integrity, and availability with a changed scope. It was published on 2025-03-20.

Unauthenticated attackers can exploit this vulnerability remotely over the network with minimal effort, bypassing authorization controls to gain unauthorized access to the affected INFOCAD software. Successful exploitation enables high-impact outcomes, including complete compromise of confidentiality (e.g., data exposure), integrity (e.g., data manipulation), and availability (e.g., denial of service), potentially leading to full system control given the scope change.

Advisories point to mitigation via patching, with the vulnerability fixed in INFOCAD version 3.5.2.0 as detailed in the official changelog. Security practitioners should reference the DESCOR INFOCAD product page and the specific changelog entry on broken authorization schema for deployment guidance and verification.