CVE-2025-25950 is a critical access control vulnerability identified in the Academia Student Information System (SIS) EagleR version 1.0.118, developed by Serosoft Solutions Pvt Ltd. The vulnerability resides in the REST API endpoint /rest/staffResource/update, which is intended for updating staff resources. Due to improper access control (CWE-284), authenticated users with limited privileges can exploit this endpoint to create or modify user accounts, including elevating privileges to Administrator level. This flaw does not require user interaction and can be exploited remotely over the network (AV:N), with low attack complexity (AC:L) and only requires privileges (PR:L) that may be granted to standard staff users. The vulnerability impacts confidentiality and integrity severely (C:H/I:H), but does not affect availability (A:N). The scope remains unchanged (S:U), meaning the exploit affects only the vulnerable component. No patches have been published yet, and no known exploits are reported in the wild, but the potential for privilege escalation and full system compromise is high. This vulnerability poses a significant risk to organizations relying on this SIS for managing student and staff data, as attackers could gain unauthorized administrative control, manipulate sensitive data, or disrupt operations.

For European organizations, particularly educational institutions using the Academia SIS EagleR system, this vulnerability could lead to unauthorized creation and modification of user accounts, including administrators. This could result in unauthorized access to sensitive student and staff data, manipulation of academic records, and potential disruption of educational services. The breach of confidentiality and integrity could also lead to regulatory non-compliance under GDPR, resulting in legal and financial penalties. The ability to escalate privileges without user interaction makes this vulnerability particularly dangerous, as attackers could maintain persistent access and move laterally within the network. Additionally, compromised administrator accounts could be used to deploy further attacks or ransomware, amplifying the impact. The lack of available patches increases the urgency for immediate mitigation to protect sensitive educational data and maintain trust.

Since no official patches are currently available, European organizations should implement compensating controls immediately. These include restricting access to the /rest/staffResource/update endpoint through network segmentation and firewall rules, ensuring only trusted IP addresses or VPN connections can reach this API. Implement strict monitoring and alerting on account creation and modification activities, especially for administrative accounts. Review and tighten role-based access controls to minimize the number of users with privileges that could exploit this vulnerability. Conduct regular audits of user accounts to detect unauthorized changes promptly. Employ multi-factor authentication (MFA) for all administrative accounts to reduce the risk of compromised credentials being exploited. Engage with the vendor for timely updates and patches, and prepare to apply them as soon as they become available. Finally, educate staff about the risks and signs of account compromise to enhance detection capabilities.