CVE-2025-25951 is an information disclosure vulnerability identified in the Academia Student Information System (SIS) EagleR version 1.0.118, developed by Serosoft Solutions Pvt Ltd. The vulnerability exists in the REST API endpoint /rest/cb/executeBasicSearch, which is designed to perform basic search operations within the SIS. Due to insufficient access control mechanisms, this endpoint allows unauthenticated remote attackers to retrieve sensitive user information, such as personally identifiable information (PII) of students and staff. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 7.5, indicating a high severity level, with the vector string AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This means the attack can be performed remotely over the network without any privileges or user interaction, and it impacts confidentiality with no effect on integrity or availability. No patches or fixes have been officially released yet, and no known exploits have been observed in the wild. The vulnerability could be exploited by attackers to harvest sensitive data, potentially leading to privacy violations, identity theft, or further targeted attacks against educational institutions using this SIS. The lack of authentication and ease of exploitation make this a critical concern for organizations relying on this software for managing student information.

For European organizations, particularly educational institutions using the Academia SIS EagleR platform, this vulnerability poses a significant risk to the confidentiality of sensitive student and staff data. Unauthorized disclosure of personal information can lead to privacy breaches, regulatory non-compliance (e.g., GDPR violations), reputational damage, and potential legal consequences. The exposure of sensitive data could also facilitate social engineering attacks or identity theft. Since the vulnerability does not affect system integrity or availability, operational disruption is less likely; however, the loss of confidentiality alone is critical in the education sector. The impact is heightened in Europe due to stringent data protection laws and the high value placed on personal data security. Institutions lacking robust network segmentation or API security controls are particularly vulnerable. The absence of known exploits in the wild provides a window for proactive mitigation, but the ease of exploitation and network accessibility mean attackers could develop exploits rapidly.

1. Monitor Serosoft Solutions’ official channels for security patches addressing CVE-2025-25951 and apply them immediately upon release. 2. Until patches are available, restrict network access to the /rest/cb/executeBasicSearch endpoint using firewalls or API gateways to limit exposure to trusted internal networks only. 3. Implement strict authentication and authorization controls on all SIS API endpoints, ensuring that sensitive operations require verified user credentials and appropriate privileges. 4. Conduct thorough security audits and penetration testing focused on API endpoints to identify and remediate similar access control weaknesses. 5. Employ network segmentation to isolate SIS infrastructure from public-facing systems and reduce the attack surface. 6. Enable detailed logging and monitoring of API access to detect anomalous or unauthorized requests promptly. 7. Educate IT and security teams within educational institutions about this vulnerability and the importance of securing student information systems. 8. Review and update data protection policies to ensure compliance with GDPR and related regulations, emphasizing the protection of exposed data types.