CVE-2025-27583
Published: 03 March 2025
Description
Adversaries may create an account to maintain access to victim systems.
Security Summary
CVE-2025-27583 is an incorrect access control vulnerability (CWE-862) in the /rest/staffResource/findAllUsersAcrossOrg component of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR version 1.0.118. Published on 2025-03-03, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high confidentiality and integrity impacts with no availability disruption.
Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows remote creation and modification of user accounts, including Administrator accounts, enabling full compromise of the system's access controls, privilege escalation, and potential persistence or lateral movement within the affected SIS environment.
The primary reference points to a GitHub repository at https://github.com/VvV1per/Vulnerability-Research-CVEs/tree/main/CVE-2024-53637 containing vulnerability research details, though specific patch or mitigation guidance is not detailed in available sources. Security practitioners should verify vendor updates for EagleR v1.0.118 and implement network segmentation or access restrictions on the affected endpoint pending remediation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated remote exploit of public-facing REST endpoint enables account creation/modification (T1136, T1098) for privilege escalation (T1068) and initial access (T1190).