The critical vulnerability note issued by the Indian Computer Emergency Response Team (CERT-In) regarding the Rising Technosoft CAP back office application has raised significant concerns within the cybersecurity community. The vulnerabilities identified in the Rising Technosoft software, affecting versions prior to 2.0.4, have the potential to expose users to cyber threats, including unauthorized access, account takeovers, and data breaches.
Rising Technosoft’s CAP back office application, widely used by stock brokers and depository participants, has been found to contain multiple vulnerabilities that could be exploited by malicious actors. The report highlights five critical vulnerabilities, each presenting different risks to end users.
One of the vulnerabilities identified is the improper authentication vulnerability (CVE-2025-29994) within the application’s API endpoint. This flaw allows attackers to bypass authentication mechanisms by manipulating API parameters, potentially leading to unauthorized access to user accounts and the compromise of sensitive data.
Another critical vulnerability involves a weak password reset mechanism (CVE-2025-29995), which could be exploited by attackers with valid login credentials to reset the passwords of other users. This could result in complete account takeovers, giving attackers full control over compromised accounts.
The application’s two-factor authentication (2FA) mechanism is also vulnerable to exploitation (CVE-2025-29996) due to the improper implementation of OTP verification. Attackers with valid credentials can bypass 2FA by manipulating API requests, potentially granting unauthorized access to protected accounts.
Furthermore, improper access control checks at certain API endpoints (CVE-2025-29997) allow authenticated attackers to manipulate URLs and gain unauthorized access to other users’ accounts. This could lead to the exposure of sensitive data or unauthorized transactions, posing a serious risk to user security.
Additionally, the lack of rate limiting on OTP requests (CVE-2025-29998) presents a vulnerability that could be exploited by attackers to perform denial-of-service attacks, impacting the system’s performance and hindering legitimate user access.
In conclusion, the vulnerabilities identified in the Rising Technosoft CAP back office application pose a significant cybersecurity risk to users, potentially resulting in data breaches, account takeovers, and financial losses. It is imperative for users to upgrade to version 2.0.4 or later to mitigate these risks. Rising Technosoft has acknowledged the vulnerabilities and is actively working to address them, emphasizing the importance of updating the software to enhance security and protect user information from exploitation. Failure to patch these vulnerabilities could have severe consequences on the system’s integrity and user security.