CVE-2025-0875 is an authorization bypass vulnerability identified in the OBS (Student Affairs Information System) developed by PROLIZ Computer Software Hardware Service Trade Ltd. Co. This vulnerability is categorized under CWE-639, which pertains to authorization bypass through a user-controlled key. Specifically, the issue allows an attacker to perform parameter injection by manipulating keys that control authorization logic within the system. The affected versions are those prior to v26.0328. The vulnerability enables an attacker with certain privileges to bypass authorization controls, potentially gaining unauthorized access to sensitive student affairs data or functions. According to the CVSS 3.1 vector (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N), exploitation requires network access, high attack complexity, privileges, and user interaction, with a significant impact on confidentiality but no impact on integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that mitigation may rely on vendor updates or configuration changes once available.

For European organizations, particularly educational institutions and administrative bodies using the OBS Student Affairs Information System, this vulnerability poses a risk of unauthorized data disclosure. The confidentiality impact is high, meaning sensitive student information such as personal data, academic records, or disciplinary actions could be exposed to unauthorized users. Although the vulnerability does not affect data integrity or system availability, the breach of confidentiality can lead to privacy violations, regulatory non-compliance (e.g., GDPR), reputational damage, and potential legal consequences. The requirement for privileges and user interaction reduces the likelihood of widespread exploitation but does not eliminate the risk, especially in environments where insider threats or social engineering attacks are possible. Given the critical nature of student data and strict data protection regulations in Europe, this vulnerability warrants prompt attention.

Organizations should first verify if they are running affected versions of the OBS Student Affairs Information System prior to v26.0328. Immediate mitigation steps include: 1) Restricting network access to the OBS system to trusted internal networks and enforcing strong authentication and authorization policies to limit privilege escalation. 2) Implementing strict input validation and parameter sanitization at the application layer to prevent parameter injection attacks. 3) Conducting user training to reduce the risk of social engineering that could facilitate user interaction required for exploitation. 4) Monitoring logs and access patterns for unusual activity indicative of authorization bypass attempts. 5) Engaging with the vendor for timely patches or updates and applying them as soon as they become available. 6) Reviewing and tightening role-based access controls within the system to minimize the impact of any potential bypass. These measures go beyond generic advice by focusing on access restriction, input validation, and proactive monitoring tailored to the nature of this vulnerability.