mutreasury Allegedly Breached: Admin Credentials and API Keys Exposed From the Egyptian University Payment Gateway Covering 28+ Universities, Sold With a Zero-Day Vulnerability
A threat actor is selling a database from mutreasury, the centralized payment gateway connecting more than 28 Egyptian universities for tuition, application fees, and other student payments. The dump contains administrative credentials, ERP integration API tokens, and the full transaction ledger linking student PII to fee payments through Fawry, e-Finance, and Khales. The seller is also marketing an unauthenticated-access zero-day vulnerability used to dump the data, which they say allows full persistence and real-time data extraction from the remaining 24+ universities not yet included in the public preview. The current public leak covers 4 major university targets as a proof of concept, with the complete dataset covering 28+ Egyptian universities connected to the same centralized infrastructure.
- ID, f1 through f14, isAdmin flag, isLocal flag, item_type
- Administrative credentials, internal employee data, access levels
- Encrypted and plaintext authentication strings
- Job titles and workplace affiliations
- scope_id, account_id, connectType
- erp_api_url, erp_api_token, erp_api_profile, erp_company_name
- Live API tokens and endpoint URLs bridging the payment gateway with internal university ERP systems
- Direct server-to-server communication credentials
- id, sender_id, foundation_id, fees, type, is_active
- sender_name, service_url, service_code, service_name
- sender_password, settlement_code, confirmation_url, settlement_amount
- payment_gateway_url, sender_request_number, sender_user_identifier
- confirmation_redirect_url
- Logic and credentials for connecting to national payment providers (e-Finance and Khales)
- Settlement codes, service passwords, and redirect flows
- UnivId, user_id, order_id, FacultyId, SessionId, CustomerId
- UniqueInvoiceId, item, Email, Mobile, RefNum, Service, Merchant
- UnivName, Result, Status, feesName, fawryFees
- notifyurl, PaidAmount, ConfirmedAt, ConfirmedBy, ConfirmedIP
- EnquiryDate, FacultyName, CustomerCode, CustomerName
- triedConfirm, PaymentMethod, description, SuccessIndicator
- Primary ledger for all student payments, logs PII, transaction status, reference numbers (Fawry/Bank), and total amounts across various university faculties
- feeId, UniqueInvoiceId, item, Amount, feeName
- Granular breakdown of fees associated with each UniqueInvoiceId
- Payment nature specified (Application fees, Tuition, etc.)
- Unauthenticated access exploit
- Allows full persistence on the gateway
- Enables real-time data extraction from the remaining 24+ Egyptian universities not in the public preview
