CVE-2025-10644 is a critical security vulnerability identified in Wondershare Repairit version 6.5.2. The flaw stems from incorrect privilege assignment related to the use of Shared Access Signature (SAS) tokens, which are intended to provide scoped, time-limited access to resources. In this case, the SAS tokens are configured with overly permissive rights, allowing remote attackers to bypass authentication mechanisms entirely. This means no user authentication or interaction is required to exploit the vulnerability. An attacker leveraging this flaw can perform a supply-chain attack by injecting or executing arbitrary code on the endpoints of Wondershare Repairit customers. The vulnerability is classified under CWE-266, which relates to improper privilege assignment, and has been cataloged as ZDI-CAN-26892 prior to public disclosure. The CVSS v3.0 base score of 9.4 reflects the high severity, with network attack vector, no required privileges or user interaction, and significant impacts on confidentiality and integrity, with some impact on availability. Although no public exploits are currently known in the wild, the potential for remote code execution and authentication bypass makes this a serious threat to affected users.

For European organizations using Wondershare Repairit 6.5.2, this vulnerability poses a significant risk. The ability for unauthenticated remote attackers to bypass authentication and execute arbitrary code could lead to unauthorized access to sensitive data, disruption of business operations, and potential lateral movement within corporate networks. Given the supply-chain attack vector, attackers could compromise the integrity of software updates or the Repairit application itself, leading to widespread infection and persistent threats. Confidentiality breaches could expose personal data protected under GDPR, resulting in regulatory penalties and reputational damage. The integrity of critical data repair processes could be undermined, affecting data recovery efforts and trust in the software. Availability impact is lower but still present, as attackers might disrupt Repairit's functionality. Overall, the vulnerability could facilitate espionage, data theft, or sabotage, particularly in sectors reliant on data recovery tools.

Immediate mitigation should focus on upgrading Wondershare Repairit to a patched version once available, as no patches are currently linked. Until then, organizations should restrict network access to Repairit services, especially from untrusted networks, using firewalls and network segmentation. Monitoring network traffic for anomalous SAS token usage or unexpected remote connections can help detect exploitation attempts. Implement application whitelisting and endpoint detection and response (EDR) solutions to identify and block unauthorized code execution. Organizations should also review and tighten permissions related to SAS tokens and any associated cloud storage or services. Conduct thorough audits of software supply chains and verify the integrity of Repairit installations. User training to recognize suspicious activity and incident response plans tailored to supply-chain attacks will further enhance resilience.