CVE-2025-25952 identifies an Insecure Direct Object Reference (IDOR) vulnerability in the Academia Student Information System (SIS) EagleR version 1.0.118, developed by Serosoft Solutions Pvt Ltd. The vulnerability resides in the API endpoint /getStudemtAllDetailsById, which accepts a studentId parameter to retrieve student details. Due to insufficient authorization checks, an attacker with low privileges can craft a request with an arbitrary studentId value and gain unauthorized access to sensitive student information belonging to other users. This vulnerability is classified under CWE-639, which relates to authorization bypass through improper validation of object references. The CVSS v3.1 score is 6.5, reflecting a medium severity with a vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, meaning the attack is network-based, requires low privileges, no user interaction, and impacts confidentiality significantly without affecting integrity or availability. No patches or known exploits are currently available, indicating the vulnerability is newly disclosed. The lack of authentication bypass means attackers must have some level of access, but the low privilege requirement lowers the barrier to exploitation. This vulnerability could lead to unauthorized disclosure of sensitive student data such as personal identifiers, academic records, or other private information stored in the SIS. Given the critical nature of educational data privacy, this poses a significant risk to affected organizations.

For European organizations, particularly educational institutions using the Academia SIS EagleR system, this vulnerability could lead to unauthorized disclosure of sensitive student information, violating data protection regulations such as GDPR. Exposure of personal data can result in reputational damage, legal penalties, and loss of trust from students and parents. Since the vulnerability requires only low privileges and no user interaction, insider threats or compromised low-level accounts could be leveraged to escalate data access. The confidentiality breach could also facilitate further targeted attacks such as identity theft or social engineering. Although the vulnerability does not impact system integrity or availability, the data exposure alone is significant given the sensitivity of educational records. Institutions with large student populations or those handling sensitive demographic data are at higher risk. The absence of patches means organizations must rely on compensating controls until a fix is available.

1. Implement strict access control checks on the /getStudemtAllDetailsById API endpoint to ensure that users can only access their own records or those they are authorized to view. 2. Introduce server-side validation to verify that the studentId parameter corresponds to the authenticated user's permissions before returning data. 3. Employ role-based access control (RBAC) or attribute-based access control (ABAC) mechanisms to enforce fine-grained authorization policies. 4. Monitor API access logs for unusual or repeated requests with varying studentId parameters that may indicate exploitation attempts. 5. Conduct a thorough security review and penetration testing of all API endpoints handling sensitive data to identify similar IDOR issues. 6. Educate developers on secure coding practices related to authorization and object reference validation. 7. Until an official patch is released, consider implementing web application firewall (WAF) rules to detect and block suspicious requests targeting this endpoint. 8. Review and tighten user privilege assignments to minimize the number of accounts with access to sensitive student data. 9. Prepare an incident response plan to quickly address any detected data access incidents related to this vulnerability.