Skip to main content
CVE Vulnerability Database

CVE-2025-9902: QRMenu Auth Bypass Vulnerability

CVE-2025-9902 is an authorization bypass through user-controlled key vulnerability in AKIN Software QRMenu that enables privilege abuse attacks. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-9902 Overview

CVE-2025-9902 is an authorization bypass vulnerability in AKIN Software Computer Import Export Industry and Trade Co. Ltd. QRMenu. The flaw stems from a user-controlled key that the application trusts without verifying the requester's ownership of the referenced resource. Attackers can manipulate identifiers in requests to access data belonging to other tenants or users. The issue is classified under [CWE-639] Authorization Bypass Through User-Controlled Key. It affects QRMenu from version 1.05.12 up to the build dated 05.09.2025, where the vendor addressed the flaw.

Critical Impact

Unauthenticated remote attackers can abuse predictable or guessable identifiers to read data belonging to other QRMenu tenants, leading to confidentiality loss across multi-tenant deployments.

Affected Products

  • AKIN Software QRMenu starting at version 1.05.12
  • AKIN Software QRMenu builds released before 05.09.2025
  • Deployments exposing the QRMenu web interface to untrusted networks

Discovery Timeline

  • 2025-10-13 - CVE-2025-9902 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-9902

Vulnerability Analysis

QRMenu exposes resources through endpoints that accept an object identifier supplied by the client. The application uses this identifier to retrieve records without validating that the authenticated session, or in this case any session, is authorized to access the referenced object. This pattern is a textbook Insecure Direct Object Reference (IDOR) and falls under [CWE-639]. Because the attack vector is network-based and requires no privileges or user interaction, any actor who can reach the QRMenu service can enumerate resources by iterating identifier values. The impact is limited to confidentiality, but the scope of accessible data depends on how QRMenu segments tenant menus, orders, and customer information.

Root Cause

The root cause is missing server-side authorization checks tied to the requesting principal. The application treats the user-controlled key as authoritative for access decisions rather than enforcing an ownership or role check against the session context. Multi-tenant SaaS menu platforms commonly assign sequential or weakly randomized identifiers, which compounds the exposure.

Attack Vector

An attacker submits crafted HTTP requests to QRMenu endpoints, substituting another tenant's or user's identifier in path parameters, query strings, or request bodies. The server returns the targeted resource because it never validates the relationship between the caller and the requested object. Automated enumeration with simple tooling is sufficient to harvest data at scale.

No public proof-of-concept code is referenced for this CVE. Refer to the USOM Security Notification TR-25-0333 for vendor coordination details.

Detection Methods for CVE-2025-9902

Indicators of Compromise

  • High-rate sequential access to QRMenu resource endpoints from a single source IP, indicating identifier enumeration.
  • HTTP 200 OK responses to requests where the referenced identifier does not correspond to the authenticated session's tenant.
  • Unusual outbound data transfer volumes from the QRMenu application server during short time windows.

Detection Strategies

  • Inspect application access logs for repeated requests to the same endpoint with incrementing or randomized identifier values.
  • Correlate session identifiers with resource identifiers accessed; flag mismatches between session tenant and resource owner.
  • Deploy web application firewall rules that rate-limit identifier-parameterized endpoints and alert on enumeration patterns.

Monitoring Recommendations

  • Centralize QRMenu web server and application logs into a SIEM and retain at least 90 days of request metadata.
  • Track baseline request volumes per endpoint and alert on statistical deviations consistent with scraping.
  • Monitor authentication events alongside resource access to identify unauthenticated reads of tenant data.

How to Mitigate CVE-2025-9902

Immediate Actions Required

  • Upgrade QRMenu to the build dated 05.09.2025 or later, which contains the vendor fix.
  • Review access logs since the deployment of version 1.05.12 for signs of identifier enumeration or unauthorized reads.
  • Rotate any credentials, API tokens, or customer data exports that may have been exposed through the affected endpoints.

Patch Information

AKIN Software released a fixed QRMenu build dated 05.09.2025. The vendor coordinated disclosure through Türkiye's national CERT, USOM. Administrators should consult the USOM Security Notification TR-25-0333 for upgrade guidance and confirm the running version after deployment.

Workarounds

  • Restrict network access to QRMenu administrative and API endpoints using IP allowlists or VPN gating until patching completes.
  • Place QRMenu behind a reverse proxy or WAF and enforce per-session rate limits on identifier-bearing endpoints.
  • Audit identifier schemes and, where supported by configuration, switch to non-enumerable identifiers such as UUIDv4.
bash
# Configuration example: temporary nginx rate limit for QRMenu identifier endpoints
limit_req_zone $binary_remote_addr zone=qrmenu_ids:10m rate=10r/m;

server {
    location ~ ^/api/(menu|order|customer)/[0-9]+ {
        limit_req zone=qrmenu_ids burst=5 nodelay;
        proxy_pass http://qrmenu_backend;
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.