CVE-2025-52289

HIGH

MagnusBilling 7.8.5.3 - Unauthenticated Privilege Escalation via Crafted User Save Request

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-52289. PoCs published by Madhav-Bhardwaj.

AI-analyzed exploit summary The repository describes a Broken Access Control vulnerability in MagnusBilling < v7.8.5.3, where users can escalate their account status from 'pending' to 'active' by modifying a request parameter. The writeup includes technical details such as the vulnerability type, impact, and a reference to the vendor patch commit.

Description

A Broken Access Control vulnerability in MagnusBilling v7.8.5.3 allows newly registered users to gain escalated privileges by sending a crafted request to /mbilling/index.php/user/save to set their account status fom "pending" to "active" without requiring administrator approval.

Exploits (1)

nomisec WRITEUP 1 stars
by Madhav-Bhardwaj · poc
https://github.com/Madhav-Bhardwaj/CVE-2025-52289

The repository describes a Broken Access Control vulnerability in MagnusBilling < v7.8.5.3, where users can escalate their account status from 'pending' to 'active' by modifying a request parameter. The writeup includes technical details such as the vulnerability type, impact, and a reference to the vendor patch commit.

Classification
Writeup 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: MagnusBilling < v7.8.5.3
Auth required
Prerequisites: User account with 'pending' status
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.0
EPSS 0.0039
EPSS Percentile 30.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-284 CWE-269
Status published
Products (1)
magnussolution/magnusbilling 7.8.5.3
Published Jul 31, 2025
Tracked Since Feb 18, 2026