CVE-2025-25952 – This vulnerability allows attackers to access s... (How to Fix)

Q: What is the severity of CVE-2025-25952?

CVE-2025-25952 has a CVSS score of 6.5 (MEDIUM). This vulnerability allows attackers to access sensitive student information by manipulating the studentId parameter in the /getStudemtAllDetailsById API endpoint. It affects Serosoft Solutions Academia Student Information System EagleR v1.0.118 users. Attackers can exploit this without authentication to view unauthorized data.

📋 TL;DR

This vulnerability allows attackers to access sensitive student information by manipulating the studentId parameter in the /getStudemtAllDetailsById API endpoint. It affects Serosoft Solutions Academia Student Information System EagleR v1.0.118 users. Attackers can exploit this without authentication to view unauthorized data.

💻 Affected Systems

Products:

Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR

Versions: v1.0.118

Operating Systems: Not specified - likely web application independent of OS

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the API endpoint /getStudemtAllDetailsById?studentId=XX. Note the spelling 'Studemt' in the endpoint name.

📦 What is this software?

Academia Student Information System by Serosoft

View all CVEs affecting Academia Student Information System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Mass data breach exposing all student records including personal identifiable information, academic records, and potentially sensitive contact details.

🟠

Likely Case

Unauthorized access to individual student records leading to privacy violations and potential identity theft.

🟢

If Mitigated

Limited exposure of non-sensitive student information if proper access controls and input validation are implemented.

🌐 Internet-Facing: HIGH - The vulnerable endpoint appears to be accessible via API requests, making it exploitable from the internet.

🏢 Internal Only: MEDIUM - Even if not internet-facing, internal attackers or compromised accounts could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires simple parameter manipulation in API requests. GitHub repositories contain research and likely proof-of-concept code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not found in provided references

Restart Required: No

Instructions:

1. Contact Serosoft Solutions for official patch or update. 2. If patch available, apply following vendor instructions. 3. Test the fix in non-production environment first.

🔧 Temporary Workarounds

API Endpoint Restriction

all

Restrict access to the vulnerable endpoint using web application firewall or reverse proxy rules.

# Example nginx location block to block endpoint
location ~* /getStudemtAllDetailsById {
    deny all;
    return 403;
}

Input Validation Enhancement

all

Implement server-side validation to ensure studentId parameter matches authenticated user's access rights.

# Pseudo-code for validation
if (!isAuthorized(currentUser, requestedStudentId)) {
    return 403;
}

🧯 If You Can't Patch

Implement strict access controls and authentication checks before processing studentId parameter
Monitor and log all access attempts to the vulnerable endpoint for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Test by accessing /getStudemtAllDetailsById?studentId= with different ID values while authenticated as a different user. If you can access data not belonging to your account, system is vulnerable.

Check Version:

Check application version in admin panel or about page. Command varies by deployment.

Verify Fix Applied:

After implementing controls, repeat the test. Successful fix should return 403 or proper authorization error when attempting to access unauthorized student data.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authorization attempts on /getStudemtAllDetailsById endpoint
Unusual pattern of studentId parameter values in requests
Access to student records outside normal user patterns

Network Indicators:

Unusual volume of requests to the vulnerable endpoint
Requests with sequential or manipulated studentId parameters

SIEM Query:

source="web_server" AND uri_path="/getStudemtAllDetailsById" AND (studentId NOT IN authorized_ids OR rate_threshold_exceeded)

📊 Metadata

CVE ID: CVE-2025-25952

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-639

EPSS Score: 0.1% exploit probability (28.5th percentile)

Published: March 3, 2025

Last Updated: December 12, 2025

🔗 References

https://github.com/VvV1per/Vulnerability-Research-CVEs/tree/main/CVE-2024-89639 Broken Link,Not Applicable
https://github.com/VvV1per/Vulnerability-Research-CVEs/tree/main/CVE-2025-25952 Third Party Advisory
https://github.com/el-viper/cve-research/tree/main/CVEs/CVE-2025-25952

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25952, you might also want to check these: