CVE-2025-67274
Unknown Unknown - Not Provided
Information Disclosure in continuous.software Aangine via Multiple Modules

Publication date: 2026-01-26

Last updated on: 2026-02-12

Assigner: MITRE

Description
An issue in continuous.software aangine v.2025.2 allows a remote attacker to obtain sensitive information via the excel-integration-service template download module, integration-persistence-service job listing module, portfolio-item-service data retrieval module endpoints
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-02-12
Generated
2026-06-16
AI Q&A
2026-01-26
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67274
EUVD
EUVD-2025-206358
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
continuous.software aangine 2025.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-67274 is a Broken Access Control vulnerability (specifically Broken Object Level Authorization - BOLA) in the aangine application version 2025.2. It allows low-privileged authenticated users to access multiple admin-restricted backend API endpoints without proper authorization. This happens because the APIs fail to correctly validate user roles or scope claims in JWT tokens, enabling attackers to bypass role and scope checks and access sensitive administrative data by sending direct HTTP requests to these endpoints. [3]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information such as internal configuration data, integration job details, logs, and portfolio or project-related records. Attackers exploiting this flaw can gain access to administrative data without proper permissions, potentially compromising the confidentiality of critical business information. [3]

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized HTTP requests to admin-restricted API endpoints related to template download, integration job listings, and portfolio data retrieval. Specifically, look for requests to endpoints of the excel-integration-service, integration-persistence-service, and portfolio-item-service modules made by low-privileged users. Commands to detect such activity could include using network traffic inspection tools like tcpdump or Wireshark to filter HTTP requests to these endpoints, or using curl commands to test access control by attempting to access these endpoints with low-privileged credentials. For example, a curl command to test access might be: curl -i -H "Authorization: Bearer <low-privilege-token>" https://<target>/api/excel-integration-service/template-download. Monitoring logs for unauthorized access attempts or unexpected data retrieval from these endpoints can also help detect exploitation attempts. [3]

Mitigation Strategies

Immediate mitigation steps include applying the vendor's patch or update that implements proper backend authorization controls to restrict access to admin-restricted API endpoints. Until the patch is applied, restrict access to the affected API endpoints by network-level controls such as firewall rules or API gateway policies to limit access only to authorized administrative users. Additionally, monitor logs and network traffic for suspicious access patterns to these endpoints and revoke any compromised credentials. Inform users about the vulnerability and enforce strict authentication and authorization policies. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67274. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart