CVE-2025-0875 identifies an authorization bypass vulnerability categorized under CWE-639 (Authorization Bypass Through User-Controlled Key) in the PROLIZ Computer Software Hardware Service Trade Ltd. Co.'s OBS Student Affairs Information System. This system is used for managing student affairs data, which typically includes sensitive personal and academic records. The vulnerability stems from insufficient validation of user-controlled keys used as parameters within the system, allowing an attacker with low privileges to inject crafted parameters that bypass normal authorization checks. This parameter injection flaw enables unauthorized access to data that should be restricted, compromising confidentiality. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates the attack can be performed remotely over the network with low attack complexity, requiring only limited privileges and no user interaction. The scope remains unchanged, meaning the attacker’s privileges are not escalated beyond the compromised component, but confidentiality is highly impacted. The affected versions are all prior to v26.0328, and no patches are currently linked, indicating the need for vendor action. No known exploits have been reported in the wild, but the vulnerability presents a significant risk to organizations relying on this software for managing confidential student data. The flaw’s exploitation could lead to unauthorized disclosure of sensitive information, such as student identities, grades, or disciplinary records, potentially violating data protection regulations.

For European organizations, particularly educational institutions using the PROLIZ OBS system, this vulnerability poses a significant risk to the confidentiality of student data. Unauthorized access could lead to exposure of personally identifiable information (PII), academic records, and other sensitive information, potentially resulting in privacy violations and regulatory non-compliance with GDPR. Such breaches could damage institutional reputation and lead to legal and financial consequences. While the vulnerability does not affect data integrity or system availability, the confidentiality breach alone is critical given the sensitivity of educational data. The ease of exploitation over the network with low privileges increases the threat level, especially in environments where internal threat actors or compromised accounts exist. The lack of user interaction requirement facilitates automated or remote attacks. European universities and colleges that have integrated this system into their student management workflows are particularly vulnerable, and the impact extends to any third-party services connected to the OBS system that handle student data.

Organizations should prioritize updating the OBS Student Affairs Information System to version 26.0328 or later once the vendor releases the patch. Until then, implement strict input validation and sanitization on all parameters, especially those involving user-controlled keys, to prevent injection attacks. Enforce the principle of least privilege by restricting user permissions to only what is necessary, minimizing the risk of low-privilege accounts being leveraged for exploitation. Conduct thorough access control reviews to ensure authorization checks are robust and cannot be bypassed via manipulated parameters. Employ network segmentation and monitoring to detect unusual access patterns or parameter injection attempts. Additionally, implement logging and alerting on authorization failures and suspicious parameter usage to enable rapid incident response. Educate administrative and IT staff about the vulnerability and encourage vigilance for potential exploitation attempts. Finally, consider deploying web application firewalls (WAFs) with custom rules to block malicious parameter injection payloads targeting the OBS system.