CVE-2025-62730
📋 TL;DR
SOPlanning users with the user_manage_team role can assign administrative permissions to any user, including themselves, allowing privilege escalation to admin. This affects both Bulk Update and regular user rights editing. All SOPlanning instances below version 1.55 are vulnerable.
💻 Affected Systems
- SOPlanning
📦 What is this software?
Soplanning by Soplanning
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker with user_manage_team role gains full administrative control over the SOPlanning instance, potentially compromising all data, configurations, and user accounts.
Likely Case
A malicious insider or compromised account with user_manage_team role escalates to admin, gaining unauthorized access to sensitive planning data and system controls.
If Mitigated
With proper role separation and monitoring, impact is limited to unauthorized permission changes that can be detected and reversed.
🎯 Exploit Status
Exploitation requires authenticated access with user_manage_team role. The vulnerability is straightforward to exploit via the user management interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.55
Vendor Advisory: https://www.soplanning.org/en/
Restart Required: Yes
Instructions:
1. Backup your SOPlanning instance and database.
2. Download version 1.55 or later from the official SOPlanning website.
3. Follow the SOPlanning upgrade documentation to apply the update.
4. Restart the SOPlanning service or web server.
5. Verify the fix by testing user permission assignments.
🔧 Temporary Workarounds
Remove user_manage_team role
allTemporarily remove the user_manage_team role from all users until patching is complete.
UPDATE users SET roles = REPLACE(roles, 'user_manage_team', '') WHERE roles LIKE '%user_manage_team%';
Restrict user management access
allLimit network access to the SOPlanning user management interface using firewall rules or access controls.
🧯 If You Can't Patch
- Audit all users with user_manage_team role and monitor their activity closely.
- Implement strict logging and alerting for permission changes in the user management tab.
🔍 How to Verify
Check if Vulnerable:
Check if your SOPlanning version is below 1.55 by viewing the version in the web interface or configuration files.Check Version:
Check the SOPlanning web interface footer or the config.php file for version information.Verify Fix Applied:
After updating to version 1.55 or later, verify that users with user_manage_team role cannot assign administrative permissions.📡 Detection & Monitoring
Log Indicators:
- Log entries showing permission changes from non-admin users
- User role modifications in application logs
Network Indicators:
- HTTP POST requests to user management endpoints from non-admin accounts
SIEM Query:
source="SOPlanning" AND (event="user_permission_change" OR event="role_modification") AND user_role!="admin"