Insecure Direct Object Reference in Sergestec's Exito Software
CVE-2025-41020

7.1HIGH

Key Information:

Vendor: Sergestec
Status: Exito
Vendor: CVE Published:; 16 October 2025

What is CVE-2025-41020?

The Exito software by Sergestec version 8.0 contains an Insecure Direct Object Reference (IDOR) vulnerability. This flaw allows attackers to manipulate the 'id' parameter in the '/admin/ticket_a4.php' endpoint, potentially granting unauthorized access to other customers' data. This vulnerability highlights the importance of implementing secure coding practices to safeguard sensitive information.

Affected Version(s)

Exito 8.0

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

Ignacio Aldarabi

JSON