CVE-2025-61197

CVE-2025-61197 is a privilege escalation vulnerability affecting Orban Optimod 5950, Optimod 5950HD, Optimod 5750, Optimod 5750HD, and Optimod Trio Optimod version 1.0.0.33 running system version 2.5.26. The flaw stems from the application storing user privilege and role information in client-side browser storage, enabling a remote attacker to bypass server-side security controls (CWE-602). Published on 2025-10-06, it carries a CVSS v3.1 base score of 8.9 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L).

A remote attacker with low privileges (PR:L) can exploit this vulnerability over the network with low complexity, provided the target user performs a required interaction such as clicking a malicious link or approving an action (UI:R). Exploitation leads to privilege escalation, granting high confidentiality and integrity impacts (C:H/I:H), low availability impact (A:L), and a change in scope from unchanged to changed (S:C).

Mitigation details and further technical analysis are available in advisories referenced at https://www.orban.com/ and the vulnerability research repository at https://github.com/giulioschiavone/Vulnerability-Research/tree/main/CVE-2025-61197.