CVE-2025-14089
BaseFortify
Publication date: 2025-12-05
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| himool | erp | 2.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14089 is an improper authorization vulnerability in Himool ERP versions up to 2.2, specifically in the update_account function of the /api/admin/update_account/ endpoint within the AdminActionViewSet component. Due to missing or improper authorization checks, unauthorized remote attackers can manipulate account updates without proper permissions. This flaw allows attackers to perform unauthorized administrative actions remotely, potentially compromising the system's confidentiality, integrity, and availability. A public exploit exists, and the vendor has not provided any mitigation. [1, 2]
How can this vulnerability impact me? :
This vulnerability allows attackers to remotely perform unauthorized administrative actions such as creating or modifying company accounts within the Himool ERP system. This can lead to unauthorized access, data manipulation, and potential disruption of business operations, impacting the confidentiality, integrity, and availability of sensitive enterprise data. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring access attempts to the API endpoint `/api/admin/update_account/` for unauthorized or unusual activity, especially requests that attempt to invoke the `update_account` function without proper authorization. Network traffic inspection tools or web application firewalls can be configured to log or alert on such requests. Since the exploit is publicly available, searching for HTTP requests with suspicious payloads targeting this endpoint is recommended. Specific commands might include using curl or similar tools to test the endpoint manually, for example: `curl -X POST https://<target>/api/admin/update_account/ -d '{"account_data": "..."}'` to check if unauthorized updates are possible. Additionally, using tools like `tcpdump` or `Wireshark` to capture and analyze traffic to this endpoint can help detect exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable API endpoint `/api/admin/update_account/` by implementing network-level controls such as IP whitelisting or firewall rules to limit access only to trusted administrators. Since no patches or vendor responses are available, consider disabling or restricting the affected functionality if possible. Monitoring and logging all access to this endpoint for suspicious activity is also critical. Ultimately, replacing the affected Himool ERP product with an alternative solution is recommended due to the lack of vendor mitigation and the exploit's public availability. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized remote manipulation of account data within Himool ERP, impacting confidentiality, integrity, and availability of sensitive information. Such unauthorized access and modification of sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information. Since the vulnerability remains unmitigated and the vendor has not responded, affected organizations may face increased risk of regulatory violations due to potential data breaches or unauthorized data alterations. [1, 2]