External risk intelligence

Classroomio allows unauthorized students to delete courses.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2025-65669

Classroomio is a web-based classroom management platform. As a web application designed for students and educators to access course materials via the internet, it is commonly deployed as an internet-facing service.

Classroomio

0.1.13

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability allows any student account to delete courses without authorization, bypassing restrictions meant for administrators. The affected technology is classroomio, specifically version 0.1.13. The concern is that this could disrupt educational operations by enabling unauthorized removal of course content.

  • Students can delete courses without permission.
  • Ensures proper controls for course data.
  • Confirm if this education platform is used.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can delete any course from the Explore page by directly interacting with the classroomio application. This bypasses the intended restriction that only administrators can perform course deletions, potentially leading to unauthorized data modification and availability impacts.

  • No authentication or authorization needed.
  • Student accounts can delete courses.
  • Unauthorized course deletion.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow unauthorized users to delete courses from the platform's Explore page, impacting the integrity and availability of course data. This occurs because the application lacks proper authorization and authentication checks for course deletion, a restriction that should only apply to administrators.

  • Student data and course content.
  • Unauthorized deletion requests are accepted.
  • Courses and associated data are permanently lost.

Operational Fix

Recommended remediation, mitigation, and detection steps

The classroomio application's vulnerability, allowing unauthorized course deletion, likely falls under the purview of the application owner or platform team responsible for its deployment and management. The first practical step is to identify all instances of classroomio and determine their reachability and business criticality. Once confirmed, the accountable owner must be identified to plan remediation based on the associated risk.

  • Application owners should own this issue.
  • Verify unauthorized course deletion capability.
  • Plan remediation with vendor coordination.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is classroomio?

Classroomio is a web-based classroom management platform designed to help educators and students organize and access course materials. It functions as a centralized hub for educational content, typically deployed as an internet-accessible service to facilitate remote or blended learning environments.

What does CWE-862 mean for CVE-2025-65669?

CWE-862 is the classification for Missing Authorization. In the context of this vulnerability, it means the application fails to verify if a user has the proper permissions—in this case, administrator rights—before allowing them to perform a sensitive action like deleting a course. Because these checks are missing, the system treats unauthorized requests as valid.

How can a student trigger this vulnerability?

A student account can trigger this issue by interacting with the Explore page within the classroomio application to initiate a course deletion. It is important to note that this bug is not restricted to specific, complex attack paths; it occurs because the software lacks internal safeguards to block unauthorized users from accessing administrative functions.

Is my instance at risk according to Halo Surface Signal?

Halo Surface Signal identifies classroomio as a web-based platform commonly deployed as an internet-facing service. Because the application is designed to be accessible to students and educators over the internet, any instance exposed publicly is considered to have a higher potential for this issue to be triggered compared to services strictly hosted on internal networks.

Do I need to take action if I use classroomio?

Yes. If you run version 0.1.13, your first step is to identify all instances of the platform within your environment and assess their business importance. Once identified, work with the system owner to evaluate the impact of unauthorized course deletions and coordinate with the vendor or development team to address the lack of authorization controls.

References