CVE-2025-52289: 
MagnusSolution MagnusBilling vulnerability analysis and mitigation

A Broken Access Control vulnerability was discovered in MagnusBilling v7.8.5.3 that allows newly registered users to gain unauthorized privileges. The vulnerability enables users to bypass administrator approval by sending a crafted request to /mbilling/index.php/user/save to change their account status from 'pending' to 'active'. The vulnerability was disclosed on July 31, 2025, and affects MagnusBilling installations running version 7.8.5.3 (NVD, AttackerKB).

The vulnerability is classified as a Broken Access Control (CWE-284) and Improper Privilege Management (CWE-269) issue. It has received a CVSS v3.1 base score of 8.0 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. The vulnerability can be exploited remotely through the network, requires low attack complexity, and needs low privileges with user interaction (NVD).

The vulnerability allows unauthorized elevation of user privileges by bypassing the administrator approval process. This could lead to unauthorized access to system features and functionalities intended only for verified users. The high CVSS score indicates potential severe impacts on system confidentiality, integrity, and availability (AttackerKB).

The vulnerability has been patched in MagnusBilling version 7.8.5.3. Users are advised to update to this version or later to mitigate the risk. The fix addresses the access control issue by implementing proper validation of user status changes (GitHub Patch).