CVE-2025-10947 is a medium-severity authorization bypass vulnerability affecting Sistemas Pleno Gestão de Locação software versions 2025.0 through 2025.7. The vulnerability resides in an unspecified function within the /api/areacliente/pessoa/validarCpf API endpoint, part of the CPF Handler component. By manipulating the pes_cpf parameter, an attacker can bypass authorization checks, gaining unauthorized access to protected resources or functionality. The attack can be performed remotely over the network without requiring authentication or user interaction, making exploitation relatively straightforward. The vulnerability does not impact confidentiality, integrity, or availability directly but compromises access control, potentially exposing sensitive client information or allowing unauthorized operations. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P) indicates an exploit is publicly available and the attack complexity is low. No known exploits in the wild have been reported yet, but the published exploit code increases the likelihood of active exploitation. The vendor has addressed the issue in version 2025.8.0, and upgrading is the recommended remediation. Given the nature of the vulnerability, it is critical for organizations using this software to apply the patch promptly to prevent unauthorized access and potential data breaches.

The primary impact of CVE-2025-10947 is unauthorized access due to bypassed authorization controls, which can lead to exposure of sensitive client data or unauthorized operations within the Sistemas Pleno Gestão de Locação platform. This can result in data confidentiality breaches, potential privacy violations, and operational disruptions if unauthorized users manipulate rental management functions. Since the vulnerability requires no authentication or user interaction and can be exploited remotely, the attack surface is broad, increasing risk for all exposed instances. Organizations relying on this software for rental management may face reputational damage, regulatory penalties, and financial losses if exploited. The medium severity rating reflects the moderate but significant risk posed by this vulnerability, especially in environments with sensitive client data or critical business processes. The availability of public exploit code further elevates the threat, necessitating urgent remediation.

1. Immediately upgrade Sistemas Pleno Gestão de Locação to version 2025.8.0 or later, as this update contains the fix for the authorization bypass vulnerability. 2. If immediate upgrade is not possible, implement network-level access controls to restrict access to the /api/areacliente/pessoa/validarCpf endpoint, limiting it to trusted IP addresses or VPN users. 3. Monitor logs for unusual or unauthorized access attempts targeting the pes_cpf parameter or the affected API endpoint. 4. Employ Web Application Firewalls (WAF) with custom rules to detect and block suspicious manipulations of the pes_cpf argument. 5. Conduct a thorough audit of user permissions and access controls within the application to ensure no excessive privileges exist that could be exploited. 6. Educate security and IT teams about this vulnerability and the importance of patching to prevent exploitation. 7. Review and enhance incident response plans to quickly address any signs of compromise related to this vulnerability. 8. Consider implementing multi-factor authentication and additional authorization layers where feasible to reduce risk from similar vulnerabilities.