CVE-2025-10947 is an authorization bypass vulnerability identified in the Sistemas Pleno Gestão de Locação software, specifically affecting versions up to 2025.7.x. The vulnerability resides in an unspecified function within the /api/areacliente/pessoa/validarCpf endpoint, part of the CPF Handler component. The flaw allows an attacker to manipulate the 'pes_cpf' argument, which is presumably used to validate Brazilian individual taxpayer registry identification numbers (CPF). By exploiting this manipulation, an attacker can bypass authorization controls remotely without requiring authentication or user interaction. This means unauthorized users can potentially access or perform actions reserved for authorized users, compromising the system's integrity and confidentiality. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact is limited to confidentiality (VC:L) with no impact on integrity or availability. Although no known exploits are currently observed in the wild, a proof-of-concept exploit has been published, increasing the risk of exploitation. The vendor has addressed the issue in version 2025.8.0, and upgrading to this version fully mitigates the vulnerability.

For European organizations using Sistemas Pleno Gestão de Locação, this vulnerability poses a significant risk of unauthorized access to sensitive client data or management functions within the rental management system. Given that the vulnerability allows remote exploitation without authentication, attackers could leverage it to gain unauthorized access to customer information, potentially leading to data breaches involving personal identifiable information (PII). This could result in violations of the EU General Data Protection Regulation (GDPR), leading to legal penalties and reputational damage. Additionally, unauthorized access could disrupt business operations by allowing malicious actors to manipulate rental agreements or client records, undermining trust and operational integrity. The medium severity rating suggests that while the vulnerability is serious, it does not directly impact system availability or integrity, but the confidentiality breach alone is critical for compliance and business continuity. Organizations relying on this software for property or asset management should prioritize remediation to prevent exploitation.

1. Immediate upgrade to Sistemas Pleno Gestão de Locação version 2025.8.0 or later, as this version contains the patch that fixes the authorization bypass vulnerability. 2. Implement strict network segmentation and firewall rules to restrict access to the /api/areacliente/pessoa/validarCpf endpoint, limiting exposure to trusted internal networks or VPN users only. 3. Employ Web Application Firewalls (WAFs) with custom rules to detect and block anomalous or malformed requests targeting the 'pes_cpf' parameter to mitigate exploitation attempts. 4. Conduct regular security audits and penetration testing focusing on authorization mechanisms within the application to identify and remediate similar flaws proactively. 5. Monitor logs for unusual access patterns or repeated failed authorization attempts on the affected API endpoint to detect potential exploitation early. 6. Educate development and security teams about secure coding practices related to input validation and authorization checks to prevent recurrence in future releases.