The Indian – Computer Emergency Response Team (CERT-In) issued a critical vulnerability note, CIVN-2025-0048, detailing several vulnerabilities in the Rising Technosoft CAP back office application.
The Rising Technosoft vulnerabilities, affecting all versions prior to 2.0.4, pose a cybersecurity risk to end users, potentially enabling attackers to gain unauthorized access, perform account takeovers, and cause data breaches.
The vulnerabilities are found in Rising Technosoft’s CAP back office application, a Windows-based software primarily used by stock brokers and depository participants. All versions of the software prior to 2.0.4 are affected by these flaws.
Key Rising Technosoft Vulnerabilities
The report outlines five critical vulnerabilities, each of which could be exploited to gain unauthorized access or compromise user accounts. These include:
Improper Authentication Vulnerability (CVE-2025-29994)
The CIVN-2025-0048 advisory highlights an improper authentication vulnerability within the CAP back office application’s API endpoint. This flaw allows an unauthenticated attacker to bypass authentication mechanisms by manipulating API parameters. By exploiting this vulnerability, attackers could gain unauthorized access to user accounts, leading to potential data theft or account misuse.
Account Takeover Vulnerability (CVE-2025-29995)
Another critical vulnerability involves a weak password reset mechanism. Attackers with a valid login ID can exploit this flaw through the application’s API endpoints to reset the passwords of other users. This vulnerability could result in a complete account takeover, granting attackers full control over the affected accounts.
Authentication Bypass Vulnerability (CVE-2025-29996)
The application’s two-factor authentication (2FA) mechanism is also vulnerable. Due to improper implementation of OTP verification, attackers with valid credentials can bypass 2FA by manipulating API requests. This flaw could allow unauthorized users to access accounts that would otherwise be protected by the additional layer of security.
Improper Access Control Vulnerability (CVE-2025-29997)
The CAP back office application suffers from improper access control checks at certain API endpoints. This vulnerability allows authenticated attackers to manipulate API request URLs, granting them unauthorized access to other users’ accounts. Such an issue could expose sensitive data or result in unauthorized transactions, further jeopardizing user security.
No Rate Limiting Vulnerability (CVE-2025-29998)
A lack of rate limiting on OTP requests presents another serious vulnerability. Attackers can exploit this flaw by flooding the application’s API with multiple OTP requests in a short period, leading to OTP bombing. This denial-of-service attack could severely impact the system’s performance, hindering legitimate user access and increasing the likelihood of other malicious activities.
Conclusion
The vulnerabilities outlined in CIVN-2025-0048 pose a cybersecurity risk to users of the Rising Technosoft CAP back office application, potentially leading to unauthorized access, data breaches, account takeovers, and financial losses.
These critical issues expose sensitive user information to exploitation, making it crucial for all users to upgrade to version 2.0.4 or later. Rising Technosoft has acknowledged the vulnerabilities and is actively addressing the problem, recommending the update to enhance security. If left unpatched, these flaws could severely impact the integrity of the system.
