CVE-2025-11080 is a medium severity security vulnerability identified in the zhuimengshaonian wisdom-education software versions 1.0.0 through 1.0.4. The vulnerability resides in the selectStudentExamInfoList function within the ExamInfoController.java source file. Specifically, the issue arises from improper authorization checks related to the manipulation of the subjectId argument. This flaw allows an attacker to remotely exploit the system by supplying crafted subjectId parameters to access or retrieve student exam information without proper permission validation. The vulnerability does not require user interaction and can be exploited over the network without authentication, although it requires low privileges (PR:L) on the system. The CVSS 4.0 base score is 5.3, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and limited impact confined to confidentiality (VC:L) without affecting integrity or availability. The vulnerability has been publicly disclosed, but no known exploits in the wild have been reported to date. The root cause is an authorization bypass that could lead to unauthorized access to sensitive student exam data, potentially exposing personal and academic information. Since the vulnerability affects a core API controller function, it could be leveraged to extract data across multiple student records if the system is deployed in educational institutions.

For European organizations, particularly educational institutions or vendors using the zhuimengshaonian wisdom-education platform, this vulnerability poses a risk of unauthorized disclosure of student exam information. The exposure of such data could violate GDPR regulations concerning personal data protection, leading to legal and financial repercussions. Confidentiality breaches could undermine trust in educational services and damage institutional reputations. Although the vulnerability does not directly impact system integrity or availability, the unauthorized access to sensitive academic records could facilitate further social engineering or targeted attacks against students or staff. Additionally, if the platform integrates with other educational or administrative systems, the unauthorized data access could cascade, increasing the attack surface. The remote exploitability and lack of required user interaction make this vulnerability particularly concerning in environments where the software is internet-facing or accessible over untrusted networks.

To mitigate this vulnerability, organizations should prioritize updating the zhuimengshaonian wisdom-education software to a patched version once available. In the absence of an official patch, implement strict access controls at the network level to restrict access to the affected API endpoints, such as IP whitelisting or VPN-only access. Conduct a thorough code review of the selectStudentExamInfoList function and related authorization logic to ensure subjectId parameters are properly validated against the authenticated user's permissions. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block anomalous requests targeting the vulnerable endpoint. Additionally, monitor logs for unusual access patterns or repeated requests with manipulated subjectId values. Educate administrators and developers about secure coding practices regarding authorization checks to prevent similar issues. Finally, conduct regular security assessments and penetration tests focusing on authorization controls within the platform.