CVE-2025-64065: Critical User Impersonation Vulnerability in Primakon Pi Portal

Overview

CVE-2025-64065 describes a severe vulnerability affecting the Primakon Pi Portal version 1.0.18. This flaw allows an authenticated, low-privileged user to impersonate any other user, including administrators, due to insufficient server-side validation in the /api/V2/pp_udfv_admin API endpoint. This effectively bypasses access controls and grants unauthorized access to sensitive functionalities.

Technical Details

The root cause of this vulnerability lies in two key issues:

• Broken Function Level Authorization: The /api/V2/pp_udfv_admin endpoint lacks proper privilege checks. The system fails to verify whether the user making the request has the necessary permissions to perform user impersonation (LoginAs).
• Insecure Design: The system allows a user session to be switched to another user simply by providing the target user’s email address via a PATCH request. No password or administrative token is required for verification, making exploitation straightforward.

An attacker can exploit this vulnerability by sending a direct PATCH request to the vulnerable endpoint, specifying the email address of the target user. This allows the attacker to assume the identity and privileges of the targeted user.

CVSS Analysis

Due to the nature of the reported information, an official CVSS score has not been assigned (N/A). However, based on the impact of successful exploitation, this vulnerability would likely be classified as Critical. The ability for any authenticated user to impersonate an administrator warrants a high CVSS score.

Factors contributing to the potential high score include:

• Privilege Escalation: Low-privileged users can gain administrative access.
• Data Confidentiality: Attackers can access sensitive data belonging to the impersonated user.
• Data Integrity: Attackers can modify data and system configurations with the impersonated user’s privileges.
• Availability: Attackers could disrupt services or cause denial of service by manipulating critical system settings.

Possible Impact

Successful exploitation of CVE-2025-64065 can have significant consequences:

• Complete System Compromise: An attacker can gain full control of the Primakon Pi Portal instance by impersonating an administrator.
• Data Breach: Sensitive user data, system configurations, and other confidential information can be accessed and exfiltrated.
• Service Disruption: An attacker can disrupt or disable the Primakon Pi Portal service, causing business downtime.
• Reputational Damage: A successful attack can severely damage the reputation of the organization using the vulnerable software.
• Compliance Violations: Depending on the data stored and the regulatory environment, a data breach resulting from this vulnerability could lead to compliance violations and legal penalties.

Mitigation and Patch Steps

The primary mitigation strategy is to apply the latest security patch released by Primakon for the Pi Portal. If a patch is not immediately available, consider the following temporary measures:

• Disable the LoginAs/User Impersonation Feature: If possible, disable the vulnerable functionality until a patch is available.
• Implement Network Segmentation: Restrict network access to the Primakon Pi Portal to only authorized users and systems.
• Web Application Firewall (WAF) Rules: Implement WAF rules to detect and block malicious requests targeting the /api/V2/pp_udfv_admin endpoint. Specifically, look for PATCH requests attempting to modify user sessions.
• Monitor System Logs: Closely monitor system logs for suspicious activity, such as unusual API requests or attempts to impersonate users.

Contact Primakon support for further guidance and the latest patch information. Regularly review and update the Primakon Pi Portal to the latest version to benefit from security enhancements and bug fixes.