CVE-2025-0885: CWE-863 Incorrect Authorization in OpenText™ GroupWise
Incorrect Authorization vulnerability in OpenText™ GroupWise allows Exploiting Incorrectly Configured Access Control Security Levels. The vulnerability could allow unauthorized access to calendar items marked private. This issue affects GroupWise versions 7 through 17.5, 23.4, 24.1, 24.2, 24.3, 24.4.
AI Analysis
Technical Summary
CVE-2025-0885 is an Incorrect Authorization vulnerability (CWE-863) affecting OpenText™ GroupWise, a widely used enterprise collaboration and messaging platform. The flaw exists due to improperly configured access control security levels, which can be exploited to gain unauthorized access to calendar items that users have marked as private. This vulnerability affects multiple versions of GroupWise, specifically versions 7, 23.4, 24.1, 24.2, 24.3, and 24.4, indicating a long-standing and persistent issue across legacy and recent releases. The vulnerability allows an attacker with high privileges (PR:H) but limited attack vector (local access, AV:L) to bypass intended authorization checks without requiring user interaction (UI:N). The CVSS 4.0 base score is 1.8, indicating low severity, primarily because exploitation requires privileged access and local presence, and the impact is limited to confidentiality (unauthorized disclosure of private calendar data) without affecting integrity or availability. The vulnerability does not appear to have known exploits in the wild yet, and no patches or fixes have been explicitly linked in the provided data. The issue highlights a misconfiguration or design flaw in access control enforcement within GroupWise’s calendar module, potentially exposing sensitive scheduling information to unauthorized users within the same environment.
Potential Impact
For European organizations, the unauthorized disclosure of private calendar items can have significant privacy and operational impacts. Calendar data often contains sensitive information such as meeting topics, participant lists, and strategic plans. Exposure of such data could lead to privacy violations under GDPR, reputational damage, and potential leakage of confidential business information. Although the vulnerability requires local privileged access, insider threats or compromised accounts with elevated privileges could exploit this flaw to access private calendar entries. This risk is particularly relevant for sectors with strict confidentiality requirements, such as government agencies, financial institutions, and healthcare providers across Europe. The low CVSS score may underestimate the contextual impact, as unauthorized access to private schedules could facilitate targeted social engineering or espionage activities. The lack of known exploits suggests limited active exploitation currently, but the presence of this vulnerability across multiple versions means many organizations may still be exposed if they have not reviewed or hardened their GroupWise deployments.
Mitigation Recommendations
Organizations should conduct a thorough review of their GroupWise access control configurations, focusing on calendar item permissions and security level settings to ensure private items are properly protected. Since no explicit patches are referenced, applying any available vendor updates or security advisories from OpenText should be prioritized once released. Limiting privileged local access to trusted administrators and enforcing strict role-based access controls can reduce the risk of exploitation. Implementing monitoring and alerting for unusual access patterns to calendar data can help detect potential misuse. Additionally, organizations should consider segmenting GroupWise servers and restricting administrative access via network controls and multi-factor authentication. Regular audits of user privileges and calendar sharing policies will help maintain appropriate confidentiality boundaries. Finally, educating privileged users about the sensitivity of calendar data and the risks of unauthorized access can mitigate insider threat risks.
Affected Countries
Germany, France, United Kingdom, Netherlands, Belgium, Sweden, Italy, Spain
CVE-2025-0885: CWE-863 Incorrect Authorization in OpenText™ GroupWise
Description
Incorrect Authorization vulnerability in OpenText™ GroupWise allows Exploiting Incorrectly Configured Access Control Security Levels. The vulnerability could allow unauthorized access to calendar items marked private. This issue affects GroupWise versions 7 through 17.5, 23.4, 24.1, 24.2, 24.3, 24.4.
AI-Powered Analysis
Technical Analysis
CVE-2025-0885 is an Incorrect Authorization vulnerability (CWE-863) affecting OpenText™ GroupWise, a widely used enterprise collaboration and messaging platform. The flaw exists due to improperly configured access control security levels, which can be exploited to gain unauthorized access to calendar items that users have marked as private. This vulnerability affects multiple versions of GroupWise, specifically versions 7, 23.4, 24.1, 24.2, 24.3, and 24.4, indicating a long-standing and persistent issue across legacy and recent releases. The vulnerability allows an attacker with high privileges (PR:H) but limited attack vector (local access, AV:L) to bypass intended authorization checks without requiring user interaction (UI:N). The CVSS 4.0 base score is 1.8, indicating low severity, primarily because exploitation requires privileged access and local presence, and the impact is limited to confidentiality (unauthorized disclosure of private calendar data) without affecting integrity or availability. The vulnerability does not appear to have known exploits in the wild yet, and no patches or fixes have been explicitly linked in the provided data. The issue highlights a misconfiguration or design flaw in access control enforcement within GroupWise’s calendar module, potentially exposing sensitive scheduling information to unauthorized users within the same environment.
Potential Impact
For European organizations, the unauthorized disclosure of private calendar items can have significant privacy and operational impacts. Calendar data often contains sensitive information such as meeting topics, participant lists, and strategic plans. Exposure of such data could lead to privacy violations under GDPR, reputational damage, and potential leakage of confidential business information. Although the vulnerability requires local privileged access, insider threats or compromised accounts with elevated privileges could exploit this flaw to access private calendar entries. This risk is particularly relevant for sectors with strict confidentiality requirements, such as government agencies, financial institutions, and healthcare providers across Europe. The low CVSS score may underestimate the contextual impact, as unauthorized access to private schedules could facilitate targeted social engineering or espionage activities. The lack of known exploits suggests limited active exploitation currently, but the presence of this vulnerability across multiple versions means many organizations may still be exposed if they have not reviewed or hardened their GroupWise deployments.
Mitigation Recommendations
Organizations should conduct a thorough review of their GroupWise access control configurations, focusing on calendar item permissions and security level settings to ensure private items are properly protected. Since no explicit patches are referenced, applying any available vendor updates or security advisories from OpenText should be prioritized once released. Limiting privileged local access to trusted administrators and enforcing strict role-based access controls can reduce the risk of exploitation. Implementing monitoring and alerting for unusual access patterns to calendar data can help detect potential misuse. Additionally, organizations should consider segmenting GroupWise servers and restricting administrative access via network controls and multi-factor authentication. Regular audits of user privileges and calendar sharing policies will help maintain appropriate confidentiality boundaries. Finally, educating privileged users about the sensitivity of calendar data and the risks of unauthorized access can mitigate insider threat risks.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- OpenText
- Date Reserved
- 2025-01-30T15:23:28.138Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 686656db6f40f0eb72962010
Added to database: 7/3/2025, 10:09:31 AM
Last enriched: 7/3/2025, 10:24:34 AM
Last updated: 7/13/2025, 8:30:30 AM
Views: 12
Related Threats
CVE-2025-5394: CWE-862 Missing Authorization in Bearsthemes Alone – Charity Multipurpose Non-profit WordPress Theme
CriticalCVE-2025-5393: CWE-73 External Control of File Name or Path in Bearsthemes Alone – Charity Multipurpose Non-profit WordPress Theme
CriticalCVE-2025-6265: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Zyxel NWA50AX PRO firmware
HighCVE-2025-53891: CWE-434: Unrestricted Upload of File with Dangerous Type in TimeLineOfficial Time-Line-
MediumCVE-2025-53835: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in xwiki xwiki-rendering
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.