Skip to main content

CVE-2025-0885: CWE-863 Incorrect Authorization in OpenText™ GroupWise

Low
VulnerabilityCVE-2025-0885cvecve-2025-0885cwe-863
Published: Thu Jul 03 2025 (07/03/2025, 09:54:20 UTC)
Source: CVE Database V5
Vendor/Project: OpenText™
Product: GroupWise

Description

Incorrect Authorization vulnerability in OpenText™ GroupWise allows Exploiting Incorrectly Configured Access Control Security Levels. The vulnerability could allow unauthorized access to calendar items marked private. This issue affects GroupWise versions 7 through 17.5, 23.4, 24.1, 24.2, 24.3, 24.4.

AI-Powered Analysis

AILast updated: 07/03/2025, 10:24:34 UTC

Technical Analysis

CVE-2025-0885 is an Incorrect Authorization vulnerability (CWE-863) affecting OpenText™ GroupWise, a widely used enterprise collaboration and messaging platform. The flaw exists due to improperly configured access control security levels, which can be exploited to gain unauthorized access to calendar items that users have marked as private. This vulnerability affects multiple versions of GroupWise, specifically versions 7, 23.4, 24.1, 24.2, 24.3, and 24.4, indicating a long-standing and persistent issue across legacy and recent releases. The vulnerability allows an attacker with high privileges (PR:H) but limited attack vector (local access, AV:L) to bypass intended authorization checks without requiring user interaction (UI:N). The CVSS 4.0 base score is 1.8, indicating low severity, primarily because exploitation requires privileged access and local presence, and the impact is limited to confidentiality (unauthorized disclosure of private calendar data) without affecting integrity or availability. The vulnerability does not appear to have known exploits in the wild yet, and no patches or fixes have been explicitly linked in the provided data. The issue highlights a misconfiguration or design flaw in access control enforcement within GroupWise’s calendar module, potentially exposing sensitive scheduling information to unauthorized users within the same environment.

Potential Impact

For European organizations, the unauthorized disclosure of private calendar items can have significant privacy and operational impacts. Calendar data often contains sensitive information such as meeting topics, participant lists, and strategic plans. Exposure of such data could lead to privacy violations under GDPR, reputational damage, and potential leakage of confidential business information. Although the vulnerability requires local privileged access, insider threats or compromised accounts with elevated privileges could exploit this flaw to access private calendar entries. This risk is particularly relevant for sectors with strict confidentiality requirements, such as government agencies, financial institutions, and healthcare providers across Europe. The low CVSS score may underestimate the contextual impact, as unauthorized access to private schedules could facilitate targeted social engineering or espionage activities. The lack of known exploits suggests limited active exploitation currently, but the presence of this vulnerability across multiple versions means many organizations may still be exposed if they have not reviewed or hardened their GroupWise deployments.

Mitigation Recommendations

Organizations should conduct a thorough review of their GroupWise access control configurations, focusing on calendar item permissions and security level settings to ensure private items are properly protected. Since no explicit patches are referenced, applying any available vendor updates or security advisories from OpenText should be prioritized once released. Limiting privileged local access to trusted administrators and enforcing strict role-based access controls can reduce the risk of exploitation. Implementing monitoring and alerting for unusual access patterns to calendar data can help detect potential misuse. Additionally, organizations should consider segmenting GroupWise servers and restricting administrative access via network controls and multi-factor authentication. Regular audits of user privileges and calendar sharing policies will help maintain appropriate confidentiality boundaries. Finally, educating privileged users about the sensitivity of calendar data and the risks of unauthorized access can mitigate insider threat risks.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
OpenText
Date Reserved
2025-01-30T15:23:28.138Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 686656db6f40f0eb72962010

Added to database: 7/3/2025, 10:09:31 AM

Last enriched: 7/3/2025, 10:24:34 AM

Last updated: 7/13/2025, 8:30:30 AM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats