Overview
A critical security vulnerability, identified as CVE-2025-64066, has been discovered in Primakon Pi Portal version 1.0.18. This vulnerability stems from a Broken Access Control issue within the REST API, specifically affecting the /api/v2/user/register endpoint. This allows unauthenticated attackers to register new user accounts directly in the application’s local database, bypassing the intended security mechanisms.
Technical Details
The /api/v2/user/register endpoint in Primakon Pi Portal 1.0.18 lacks proper authorization checks. Normally, user registration is designed to rely on an external Identity Provider. This vulnerability allows an attacker to bypass this intended flow and create user accounts without any authentication. A simple POST request to the endpoint with the required user details is sufficient to create a new user account. Furthermore, the request can also enumerate already registered user accounts. This information could then be used for malicious purposes such as social engineering attacks.
CVSS Analysis
Currently, the CVSS score for CVE-2025-64066 is N/A, indicating that the severity of the vulnerability has not yet been officially assessed. However, given the potential for unauthorized user creation and user enumeration, this vulnerability should be considered highly critical and addressed immediately.
Possible Impact
The exploitation of CVE-2025-64066 can lead to several severe consequences:
- Unauthorized User Creation: Attackers can create numerous rogue accounts, potentially disrupting the system’s functionality.
- Privilege Escalation: The newly created accounts might be used to gain unauthorized access to sensitive data or functionalities. This vector can also be chained with other vulnerabilities for privilege escalation and complete compromise of application.
- Data Breach: Compromised accounts can be used to access and exfiltrate sensitive data stored within the application.
- Denial of Service (DoS): Mass user creation could overload the system, leading to a denial of service.
- Social Engineering: Enumerating registered users aids in social engineering or further targeted attacks.
Mitigation or Patch Steps
The following steps are recommended to mitigate the risks associated with CVE-2025-64066:
- Apply the Official Patch: Check the Primakon website for an official patch or update that addresses this vulnerability. This is the most effective solution.
- Implement Access Control: If a patch is not immediately available, implement temporary access control measures on the
/api/v2/user/registerendpoint. This could involve restricting access to this endpoint based on IP address or requiring authentication. - Web Application Firewall (WAF): Deploy a Web Application Firewall (WAF) and configure it to block requests to the vulnerable endpoint that do not meet specific criteria (e.g., requiring authentication).
- Monitor for Suspicious Activity: Implement monitoring mechanisms to detect unusual user registration activity.
