CVE-2025-11151 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information) and CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere) affecting the CityPLus software developed by Beyaz Bilgisayar Software Design Industry and Trade Ltd. Co. The flaw exists in versions prior to V24.29500.1.0 and allows an attacker to detect unpublicized web pages that should not be accessible to unauthorized users. This exposure can reveal sensitive system information that could be leveraged for further attacks or reconnaissance. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The CVSS v3.1 score of 8.2 reflects a high severity due to the high confidentiality impact, low attack complexity, and network attack vector. Although integrity and availability impacts are low, the unauthorized disclosure of sensitive information can compromise organizational security posture. No patches are currently linked, and no known exploits have been reported in the wild, indicating the need for proactive mitigation. The vulnerability likely arises from improper access control or information disclosure in the web application logic of CityPLus, enabling attackers to enumerate hidden or unlisted web resources.

For European organizations, this vulnerability poses a significant risk to confidentiality, as sensitive system information exposure can facilitate targeted attacks, social engineering, or unauthorized access escalation. Organizations relying on CityPLus for critical business functions or infrastructure management may face increased risk of data leakage or reconnaissance by threat actors. The lack of authentication requirement and ease of exploitation mean attackers can remotely probe systems without insider access. This could lead to compromised customer data, intellectual property exposure, or disruption of trust in service providers. Additionally, regulatory compliance frameworks such as GDPR emphasize protection of sensitive information, and exploitation of this vulnerability could result in legal and financial consequences. The impact is particularly critical for sectors with high data sensitivity, including finance, healthcare, and government services within Europe.

Immediate mitigation should include restricting network access to CityPLus web interfaces using firewalls or VPNs to limit exposure to trusted users only. Implement web application firewalls (WAFs) to detect and block attempts to enumerate unpublicized web pages. Conduct thorough audits of CityPLus configurations to identify and remove any unnecessary or sensitive web endpoints. Monitor web server logs for unusual access patterns indicative of reconnaissance activity. Employ strict access control policies and ensure that sensitive information is not inadvertently exposed in web responses or error messages. Coordinate with Beyaz Bilgisayar for timely patch deployment once available, and apply updates promptly. Additionally, perform regular vulnerability assessments and penetration testing focused on web application security to detect similar issues proactively. Educate IT staff on this vulnerability to improve incident response readiness.