CVE-2022-45166 is a medium-severity vulnerability affecting Archibus Web Central version 2022.03.01.107. The vulnerability arises from improper access control in a service exposed by the application. Specifically, the service accepts user-controlled parameters that influence the data returned to the user. Due to insufficient authorization checks, a basic user can manipulate these parameters to access data that should be restricted based on their role. This represents a broken access control issue, classified under CWE-284. The vulnerability does not require user interaction and can be exploited remotely over the network without authentication beyond basic user privileges. The CVSS 3.1 score is 6.5, reflecting high confidentiality impact but no impact on integrity or availability. The scope is unchanged, meaning the vulnerability affects only the component where it exists. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability could allow unauthorized disclosure of sensitive information managed within Archibus Web Central, which is a widely used integrated workplace management system (IWMS) for real estate, infrastructure, and facilities management.

For European organizations using Archibus Web Central, this vulnerability poses a significant risk to the confidentiality of sensitive facility and real estate management data. Unauthorized access to such data could lead to exposure of critical infrastructure details, occupancy information, financial data, or strategic planning documents. This could facilitate further targeted attacks, insider threats, or competitive intelligence gathering. Given that Archibus is used by many large enterprises, universities, and government agencies across Europe, the impact could be substantial if exploited. The lack of integrity or availability impact means the threat is primarily data leakage rather than system disruption. However, the exposure of sensitive data could have regulatory consequences under GDPR, especially if personal data or critical infrastructure information is involved. This could lead to reputational damage, legal penalties, and loss of trust.

Organizations should immediately review access control configurations within Archibus Web Central and restrict user permissions to the minimum necessary. Implement strict validation and sanitization of user-supplied parameters in the affected service to ensure users can only query data within their authorized scope. Monitor logs for unusual access patterns indicative of parameter tampering. Until an official patch is released, consider isolating the Archibus Web Central instance behind additional access controls such as VPNs or IP whitelisting to limit exposure. Conduct a thorough audit of data accessible to basic users and remove any unnecessary sensitive information. Engage with the vendor or community to obtain patches or workarounds as soon as they become available. Additionally, implement network segmentation and data loss prevention (DLP) controls to reduce the risk of data exfiltration if unauthorized access occurs.