CVE-2025-9902 Overview
CVE-2025-9902 is an authorization bypass vulnerability affecting AKIN Software Computer Import Export Industry and Trade Co. Ltd. QRMenu. The flaw is classified as Authorization Bypass Through User-Controlled Key [CWE-639] and enables privilege abuse by remote attackers. It affects QRMenu versions from 1.05.12 up to the build dated 05.09.2025. The vulnerability is exploitable over the network, requires no authentication, and demands no user interaction. Successful exploitation exposes confidential data without requiring valid credentials.
Critical Impact
Remote, unauthenticated attackers can manipulate user-controlled key parameters to access resources belonging to other users, resulting in confidentiality loss across the QRMenu platform.
Affected Products
- AKIN Software QRMenu version 1.05.12
- AKIN Software QRMenu versions prior to the build dated 05.09.2025
- Deployments running QRMenu between 1.05.12 and the September 5, 2025 patch release
Discovery Timeline
- 2025-10-13 - CVE-2025-9902 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-9902
Vulnerability Analysis
The vulnerability resides in the authorization logic of QRMenu, where the application trusts a user-supplied key to identify and retrieve resources. Attackers substitute the key value in requests to reference records that belong to other tenants or users. The server returns the requested data without validating whether the requester owns the referenced resource. This pattern, often called Insecure Direct Object Reference (IDOR), maps directly to [CWE-639].
The issue affects the confidentiality of stored data without impacting integrity or availability. Because QRMenu is a hosted menu management product, the exposed records likely include merchant configuration, menu data, and customer-facing identifiers tied to individual QRMenu accounts.
Root Cause
The root cause is missing object-level authorization. The application uses a key controlled by the requester, such as an identifier passed in a URL path, query parameter, or request body, to look up records. The lookup proceeds without comparing the resource owner to the session identity. Any authenticated or unauthenticated client that can reach the QRMenu endpoint can iterate or guess keys and retrieve associated data.
Attack Vector
An attacker sends crafted HTTP requests to QRMenu endpoints over the network. The attacker substitutes a target key value in the request and receives data scoped to that key. No credentials, tokens, or social engineering are required. Automated enumeration of sequential or predictable keys allows bulk extraction of records across the platform. Refer to the USOM Security Notification TR-25-0333 for vendor coordination details.
Detection Methods for CVE-2025-9902
Indicators of Compromise
- Repeated HTTP requests to QRMenu endpoints with sequentially incrementing identifier parameters from a single source address.
- Successful HTTP 200 responses to requests where the supplied resource key does not match the authenticated session, if any.
- Spikes in outbound data volume from QRMenu application servers to untrusted client networks.
- Web access logs showing access to many distinct resource identifiers within a short time window.
Detection Strategies
- Inspect web server and application logs for high-cardinality access patterns against parameterized URLs in QRMenu.
- Correlate session identity with the resource owner field returned in responses to flag mismatches.
- Deploy a Web Application Firewall (WAF) rule that rate-limits requests targeting object identifier parameters.
Monitoring Recommendations
- Monitor authentication and authorization events emitted by QRMenu for anomalous access to records outside a user's normal scope.
- Forward QRMenu application logs into a centralized SIEM and alert on enumeration patterns against resource identifiers.
- Track baseline request volumes per endpoint and alert on sustained deviations consistent with scripted enumeration.
How to Mitigate CVE-2025-9902
Immediate Actions Required
- Upgrade QRMenu to the vendor build dated 05.09.2025 or later, which contains the authorization fix.
- Inventory all QRMenu instances and confirm version 1.05.12 or later patched builds are deployed.
- Review application access logs since the deployment of version 1.05.12 for signs of unauthorized object access.
Patch Information
AKIN Software released a fixed QRMenu build dated 05.09.2025 (September 5, 2025). Administrators should coordinate with the vendor or hosting provider to confirm the deployed version. Additional advisory information is published in the USOM Security Notification TR-25-0333.
Workarounds
- Place QRMenu behind a Web Application Firewall and restrict access to known administrative source addresses where feasible.
- Apply rate limiting to endpoints that accept resource identifiers to slow enumeration attempts.
- Audit application logs daily until the patched build is deployed and rotate any exposed credentials or tokens discovered during review.
# Example WAF rate-limit rule (NGINX) to slow enumeration of QRMenu resource identifiers
limit_req_zone $binary_remote_addr zone=qrmenu_ids:10m rate=10r/s;
server {
location /api/ {
limit_req zone=qrmenu_ids burst=20 nodelay;
proxy_pass http://qrmenu_backend;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
