External risk intelligence

CVLand Authorization Bypass Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2025-0987

An authorization bypass vulnerability in CVLand allows parameter injection, potentially leading to unauthorized data access and modification. The vendor has not responded to inquiries, leaving the full impact and available fixes uncertain. This issue requires attention to confirm its relevance and exposure within your

3Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2025-0987

CVLand is a project management application. While such applications can be deployed as internet-facing web portals, they are also frequently deployed in internal or restricted corporate networks. The CVE context does not specify that public-facing deployment is the standard or mandatory configuration for this product.

PCI scan relevance

PCI Relevance for CVE-2025-0987

Yes

CVE-2025-0987 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This CVE involves an authorization bypass vulnerability in CVLand, which can lead to parameter injection, potentially causing a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability involves an authorization bypass in the CVLand technology, enabling unauthorized access and modification of data. The issue allows for parameter injection, which could lead to significant data compromise. Due to the vendor's lack of response, the full impact and available mitigations are not yet fully understood.

  • Bypass allows unauthorized access and data changes.
  • Vendor unresponsive; impact and fixes uncertain.
  • Confirm relevance and exposure for CVLand.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by sending a specially crafted request to the CVLand application, bypassing authorization checks due to how user-provided keys are handled. This parameter injection vulnerability could allow an attacker to gain unauthorized access and potentially manipulate data within the application. The vendor has not responded to inquiries about this issue.

  • Attacker needs network access.
  • Triggered by sending a malicious request.
  • Leads to data compromise and unauthorized access.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to bypass authorization controls, potentially impacting the integrity and confidentiality of system and user data within the CVLand application when supported by specific configurations.

  • System data integrity could be affected.
  • Unauthorized access to system data may occur.
  • Impact to service behavior is possible.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This authorization bypass vulnerability in CVLand likely impacts application owners responsible for its deployment and configuration. The first practical step is to identify all instances of CVLand within your environment, assess their accessibility, and determine their business criticality. Once ownership is confirmed, a risk-based remediation plan can be developed.

  • Application owners should manage the issue.
  • Verify CVLand's network exposure and criticality.
  • Plan remediation based on identified risk.

Frequently asked questions

What is CB Project Ltd. Co. CVLand?

CVLand is a technology used for project management. It helps users organize and track projects, and is often deployed in corporate networks.

What is CVE-2025-0987?

CVE-2025-0987 is an authorization bypass vulnerability in CVLand. It means an attacker could potentially access or change data they shouldn't be able to by injecting parameters into the application.

How can an attacker exploit this CVLand vulnerability?

An attacker could exploit this by sending a specific, crafted request to the CVLand application. This request would take advantage of how the application handles user-controlled keys to bypass normal security checks.

Who should care about this CVLand security issue?

Organizations using CVLand should care, especially if it's accessible from the internet. Even if it's internal, there's a possibility of unauthorized access or data changes.

What is the first step for managing this CVLand vulnerability?

If you are running CVLand, you should first find all instances of it in your environment. Then, determine how exposed it is to the network and how critical it is to your business operations.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified