CVE-2025-30073
Published: 26 March 2025
Description
Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims.
Security Summary
CVE-2025-30073 affects OPC cardsystems Webapp Aufwertung version 2.1.0, a web application used for loading funds onto employee cards. The vulnerability stems from the reuse of transaction references. When a payment is completed, the system processes the first or all transactions with the matching reference, depending on timing conditions. This business logic flaw, classified under CWE-488 (consistency of security controls across components), enables unauthorized over-crediting of funds.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it is exploitable over the network with low complexity by unauthenticated attackers requiring no user interaction. An attacker can initiate multiple transactions using the same reference and complete a single payment to trigger fulfillment of all associated transactions, resulting in more money being transferred to employee cards than was actually paid.
For mitigation guidance, refer to the advisory at https://www.syss.de/pentest-blog/businesslogik-fehler-bei-aufwertung-von-geldkarten-in-opcr-webapp-aufwertung-syss-2024-089.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability in public-facing web app enables remote exploitation (T1190) leading to unauthorized over-crediting of funds (T1657).