CVE-2025-61075
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-09

Last updated on: 2025-12-12

Assigner: MITRE

Description
Multiple Incorrect Access Control vulnerabilities in adata Software GmbH Mitarbeiterportal 2.15.2.0 allow remote authenticated, low-privileged users to carry out administrative functions and manipulate data of other users via unauthorized API calls.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-09
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-12-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61075
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
adata mitarbeiter_portal to 2.16.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthorized access to confidential employee data and manipulation of workflows by low-privileged authenticated users, which could lead to violations of data protection regulations such as GDPR and HIPAA due to improper access control and potential exposure of sensitive personal information. [2]

Detection Guidance

This vulnerability can be detected by monitoring and intercepting API requests to the affected endpoints and checking for unauthorized access or manipulation attempts. For example, intercept and modify parameters such as user IDs (Pnr) in requests to endpoints like /Zeiterfassung/MeineZeiten/CreateFromGrid to see if unauthorized actions are accepted. Additionally, test access to administrative log files via /Administration/Log/Show/log<date> endpoints with low-privileged accounts. Commands using tools like curl or Burp Suite can be used to send crafted requests to these endpoints, modifying parameters to check if unauthorized access is possible. Example curl command to test unauthorized email retrieval: curl -u user:password "https://<target>/Administration/EmailDropDown/GetUserMails?userId=<otherUserId>". Monitoring logs for unexpected API calls or parameter tampering can also help detect exploitation attempts. [2]

Mitigation Strategies

The immediate mitigation step is to upgrade the adata Mitarbeiterportal software to version 2.16.1 or later, as this version addresses the vulnerabilities. Until the update can be applied, restrict access to the affected API endpoints to trusted users only, monitor API usage for suspicious activity, and enforce strict authentication and authorization controls. Additionally, review and limit permissions of low-privileged users to minimize potential abuse of the access control flaws. [2]

Executive Summary

This vulnerability involves multiple incorrect access control issues in adata Software GmbH Mitarbeiterportal version 2.15.2.0. It allows remote authenticated users with low privileges to perform administrative functions and manipulate data of other users by making unauthorized API calls.

Impact Analysis

The vulnerability can allow low-privileged users to escalate their privileges and perform administrative actions, potentially leading to unauthorized data manipulation and compromise of user data integrity and confidentiality.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61075. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart