CVE-2025-12868

CyberTutor｜New Site Server - Use of Client-Side Authentication

CVSS 9.3 CRITICALEPSS 0.5%CWE-603

In short

The CyberTutor New Site Server relies on authentication checks only in the browser, not on the server. Attackers can bypass this by modifying the website code to gain admin access without valid credentials.

Technical detail

CWE-603 Use of Client-Side Authentication vulnerability allows unauthenticated remote attackers to manipulate frontend authentication logic (via browser developer tools or proxy interception) to escalate privileges to administrator level. The server lacks server-side authentication validation, enabling privilege escalation without credential compromise.

Summary generated and translated by AI from the official description.

New Site Server developed by CyberTutor has a Use of Client-Side Authentication vulnerability, allowing unauthenticated remote attackers to modify the frontend code to gain administrator privileges on the website.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

CyberTutor · New Site Server

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.twcert.org.tw/en/cp-139-10492-84a10-2.html https://www.twcert.org.tw/tw/cp-132-10493-bf807-1.html