CVE-2025-5522 is a critical improper authorization vulnerability identified in the jack0240 魏 bskms 蓝天幼儿园管理系统, a kindergarten management system. The flaw exists in the User Creation Handler component, specifically within the /sa/addUser endpoint. This vulnerability allows an unauthenticated remote attacker to manipulate the user creation process without proper authorization checks. The improper authorization means that the system fails to verify whether the requester has the necessary privileges to add new users, potentially allowing unauthorized account creation. Given that the product uses continuous delivery with rolling releases, specific version details for affected or patched releases are not clearly defined, complicating patch management. The CVSS 4.0 base score is 6.9 (medium severity), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and impacts on confidentiality, integrity, and availability at a low level. Although no known exploits are currently observed in the wild, the public disclosure of the vulnerability increases the risk of exploitation. The vulnerability could lead to unauthorized access, privilege escalation, and potential lateral movement within affected environments, undermining the security posture of organizations using this system.

For European organizations, especially those operating kindergartens or educational institutions using the bskms 蓝天幼儿园管理系统, this vulnerability poses a significant risk. Unauthorized user creation can lead to unauthorized access to sensitive personal data of children, staff, and parents, violating GDPR and other data protection regulations. Attackers could create accounts with elevated privileges, enabling data exfiltration, manipulation of records, or disruption of services. This could result in reputational damage, regulatory fines, and operational disruptions. Given the critical nature of educational data and the trust placed in these systems, exploitation could severely impact confidentiality and integrity. Additionally, unauthorized accounts could be used as footholds for further attacks within the organization's network. The medium CVSS score suggests moderate but tangible risk, emphasizing the need for prompt mitigation to prevent escalation.

Organizations should immediately audit and monitor the /sa/addUser endpoint for unauthorized access attempts. Since no official patches or version details are available due to continuous delivery, it is critical to implement compensating controls such as network-level restrictions limiting access to the management interface to trusted IPs only. Employ Web Application Firewalls (WAFs) with rules to detect and block anomalous user creation requests. Conduct thorough access reviews and enforce multi-factor authentication (MFA) on administrative interfaces to reduce risk if unauthorized accounts are created. Implement detailed logging and alerting on user creation activities to detect suspicious behavior promptly. Engage with the vendor for timely updates or patches and test any new releases rigorously before deployment. Additionally, consider isolating the management system within a segmented network zone to limit potential lateral movement in case of compromise.