CVE-2025-11080 is a medium severity security vulnerability identified in the zhuimengshaonian wisdom-education software versions up to 1.0.4. The vulnerability exists in the selectStudentExamInfoList function within the ExamInfoController.java source file. Specifically, improper authorization occurs due to insufficient validation or control over the subjectId parameter passed to this function. This flaw allows an attacker to manipulate the subjectId argument remotely without requiring user interaction or elevated privileges beyond low-level privileges (PR:L). The vulnerability does not require authentication (AT:N) and can be exploited over the network (AV:N) with low attack complexity (AC:L). The impact primarily affects the confidentiality of data (VC:L), with no direct impact on integrity or availability. Although no known exploits are currently observed in the wild, the exploit details have been publicly disclosed, increasing the risk of exploitation. The vulnerability arises from a failure to enforce proper authorization checks on the subjectId parameter, potentially allowing unauthorized access to student exam information that should be restricted. This could lead to unauthorized disclosure of sensitive educational data, including exam results or student-specific information. The vulnerability is present in multiple early versions of the product (1.0.0 through 1.0.4), indicating that organizations using these versions are at risk until patches or mitigations are applied. The CVSS 4.0 score of 5.3 reflects a medium severity, balancing the ease of exploitation with limited impact scope and confidentiality impact only.

For European organizations using the zhuimengshaonian wisdom-education platform, this vulnerability poses a risk of unauthorized disclosure of sensitive student exam information. Educational institutions, training centers, and e-learning providers relying on this software could face data breaches exposing personal and academic records. Such exposure may lead to violations of data protection regulations like the GDPR, resulting in legal and financial penalties. Furthermore, unauthorized access to exam data could undermine the integrity of educational assessments and damage institutional reputations. Although the vulnerability does not directly affect system availability or data integrity, the confidentiality breach alone can have significant consequences in the education sector. The remote exploitability without user interaction increases the risk of automated attacks or scanning by malicious actors. Organizations may also face indirect impacts such as loss of trust from students, parents, and regulatory bodies. Given the public disclosure of the exploit, the window for attackers to develop weaponized exploits is open, increasing urgency for mitigation.

1. Immediate upgrade to a patched version of the zhuimengshaonian wisdom-education software once available from the vendor is the most effective mitigation. If patches are not yet released, implement strict access controls at the network level to restrict access to the affected API endpoints, especially the selectStudentExamInfoList function. 2. Employ web application firewalls (WAFs) with custom rules to detect and block abnormal or unauthorized requests manipulating the subjectId parameter. 3. Conduct thorough code reviews and implement additional authorization checks validating that the requesting user has permission to access the requested subjectId data. 4. Monitor logs for unusual access patterns or repeated requests targeting the vulnerable function to detect potential exploitation attempts. 5. Educate development teams on secure coding practices to prevent improper authorization issues in future releases. 6. If possible, implement multi-factor authentication and role-based access control (RBAC) to limit exposure of sensitive endpoints. 7. Coordinate with the vendor for timely security advisories and updates. 8. Prepare incident response plans to quickly address any detected exploitation attempts.