📄 Description (English)
Authorization Bypass Through User-Controlled Key vulnerability in EXERT Computer Technologies Software Ltd. Co. Education Management System allows Parameter Injection.This issue affects Education Management System: through 23.09.2025.
🤖 AI Executive Summary
CVE-2025-10024 is a high-severity authorization bypass vulnerability in EXERT Education Management System that allows attackers to inject parameters and bypass access controls through user-controlled keys. The vulnerability affects versions through September 23, 2025, and could enable unauthorized access to sensitive educational data and administrative functions. A patch is available and should be applied immediately to prevent exploitation.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 1, 2026 21:54
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi educational institutions including universities, schools, and training centers that utilize EXERT Education Management System. Primary impact sectors include: Ministry of Education institutions, private educational providers, and universities under NCAAA oversight. The authorization bypass could expose student records, grades, personal information, and administrative credentials. Secondary impact on government agencies using similar systems for training management and HR functions. Risk is elevated due to centralized educational data management in Saudi institutions.
🏢 Affected Saudi Sectors
Education - Universities and Higher Education Institutions
Education - K-12 Schools
Government - Ministry of Education
Government - Training and Development Centers
Private Educational Providers
Healthcare - Medical Education Programs
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all instances of EXERT Education Management System in your organization
2. Check current version against affected versions (through 23.09.2025)
3. Restrict access to the system to essential personnel only
4. Enable enhanced logging and monitoring of authentication/authorization events
PATCHING:
1. Apply the available patch immediately to all affected systems
2. Test patch in non-production environment first
3. Schedule maintenance window for production deployment
4. Verify patch application and system functionality post-update
COMPENSATING CONTROLS (if patching delayed):
1. Implement Web Application Firewall (WAF) rules to detect parameter injection attempts
2. Apply strict input validation and sanitization at application layer
3. Implement principle of least privilege for user accounts
4. Enable multi-factor authentication for administrative access
5. Segment network access to education management system
DETECTION:
1. Monitor for unusual parameter values in authentication requests
2. Alert on failed authorization attempts followed by successful access
3. Track access to sensitive educational records by non-authorized users
4. Review logs for parameter injection patterns (SQL injection, command injection syntax)
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع نسخ نظام إدارة التعليم من EXERT في مؤسستك
2. التحقق من الإصدار الحالي مقابل الإصدارات المتأثرة (حتى 23.09.2025)
3. تقييد الوصول إلى النظام للموظفين الأساسيين فقط
4. تفعيل السجلات والمراقبة المحسّنة لأحداث المصادقة والتفويض
تطبيق التصحيح:
1. تطبيق التصحيح المتاح فوراً على جميع الأنظمة المتأثرة
2. اختبار التصحيح في بيئة غير الإنتاج أولاً
3. جدولة نافذة صيانة لنشر الإنتاج
4. التحقق من تطبيق التصحيح وعمل النظام بعد التحديث
عناصر التحكم البديلة (إذا تأخر التصحيح):
1. تنفيذ قواعد جدار حماية تطبيقات الويب للكشف عن محاولات حقن المعاملات
2. تطبيق التحقق الصارم من المدخلات والتطهير على مستوى التطبيق
3. تنفيذ مبدأ أقل امتياز لحسابات المستخدمين
4. تفعيل المصادقة متعددة العوامل للوصول الإداري
5. تقسيم الوصول إلى شبكة نظام إدارة التعليم
الكشف:
1. مراقبة قيم المعاملات غير العادية في طلبات المصادقة
2. التنبيه على محاولات التفويض الفاشلة متبوعة بالوصول الناجح
3. تتبع الوصول إلى سجلات التعليم الحساسة من قبل مستخدمين غير مصرح لهم
4. مراجعة السجلات لأنماط حقن المعاملات
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.9.2.1 - User Registration and Access Rights Management
ECC 2024 A.9.4.3 - Password Management System
ECC 2024 A.14.2.1 - Secure Development Policy
ECC 2024 A.12.6.1 - Management of Technical Vulnerabilities
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Software, Hardware and Services Inventory
SAMA CSF PR.AC-1 - Access Control Policy
SAMA CSF PR.AC-4 - Access Rights and Privileges
SAMA CSF DE.CM-1 - Detection and Analysis
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access Control
ISO 27001:2022 A.8.3 - Cryptography
ISO 27001:2022 A.14.2 - Development
ISO 27001:2022 A.12.6 - Management of Technical Vulnerabilities
🟣 PCI DSS v4.0.1
Not directly applicable unless payment data is processed through the system
🔗 References & Sources 1