CVE-2025-64400

Name of the Vulnerable Software and Affected Versions Control Panel (affected versions not specified)

Description The Control Panel software has an issue with its API for pre-registering users into an enrollment and organization before their initial login. The API used for user creation verifies that the requesting account has edit permissions on the enrollment-level user directory. However, it lacks a separate verification to ensure the enrollment editor has access to, or membership in, the organization to which they are adding a user. The API endpoint responsible for user creation does not adequately validate organizational access rights. The vulnerable parameter is the organization identifier used during user creation.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.