CVE-2025-10174 is a vulnerability classified under CWE-319, indicating cleartext transmission of sensitive information in Pan Software & Information Technologies Ltd.'s PanCafe Pro software. Versions prior to 3.3.2 up to the build dated 23092025 are affected. The vulnerability allows attackers to intercept sensitive data transmitted without encryption, exposing it to unauthorized parties. Additionally, the vulnerability facilitates flooding attacks, which can degrade or disrupt service availability. The CVSS 3.1 base score is 8.3, reflecting high severity, with the vector AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H. This means the attack can be performed remotely over an adjacent network (e.g., local network), requires no privileges or user interaction, and impacts confidentiality (high), integrity (low), and availability (high). The vulnerability's exploitation complexity is low, increasing the risk of successful attacks. Although no known exploits are currently reported in the wild, the potential for interception of sensitive data and denial of service through flooding makes this a critical issue. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for immediate risk mitigation. The vulnerability primarily affects network communications within PanCafe Pro, which is commonly used in internet cafes and similar environments for managing client sessions and billing.

For European organizations, this vulnerability poses significant risks, especially those operating internet cafes, gaming centers, or other public access computing facilities using PanCafe Pro. The cleartext transmission of sensitive information can lead to exposure of user credentials, payment data, or session information, resulting in data breaches and privacy violations under GDPR. The flooding aspect can cause denial of service, disrupting business operations and causing financial losses. Organizations may face regulatory penalties if sensitive customer data is compromised. The vulnerability's exploitation over adjacent networks means that attackers within the same local network or connected segments can easily intercept data or launch flooding attacks. This is particularly concerning in densely populated urban areas or shared network environments common in Europe. The lack of authentication and user interaction requirements lowers the barrier for attackers, increasing the likelihood of exploitation. Overall, the vulnerability threatens confidentiality and availability, potentially undermining trust and operational continuity.

Immediate mitigation should focus on network segmentation to isolate PanCafe Pro systems from untrusted or public networks, minimizing exposure to adjacent attackers. Deploying network-level encryption such as VPNs or TLS tunnels can help protect data in transit until an official patch is released. Monitoring network traffic for unusual flooding patterns or data exfiltration attempts is critical for early detection. Organizations should restrict access to PanCafe Pro management interfaces to trusted personnel and networks only. Once available, promptly upgrade PanCafe Pro to version 3.3.2 or later to remediate the vulnerability. Additionally, implementing strong access controls and regularly auditing system logs can help identify and prevent exploitation attempts. Training staff to recognize signs of network attacks and ensuring incident response plans are updated to address this vulnerability will improve resilience. Finally, engaging with the vendor for timely updates and security advisories is essential.