CVE-2025-12461 is a vulnerability classified under CWE-522 (Insufficiently Protected Credentials) affecting Grupo Castilla's Epsilon RH product, specifically version 3.03.36.0185. The flaw arises from a lack of access control on the application path ‘…/epsilonnet/License/About.aspx’, which allows unauthenticated attackers to retrieve sensitive information about the software license and configuration, including details on installed modules. This information disclosure can facilitate attackers in understanding the target environment, potentially enabling more sophisticated attacks or exploitation of other vulnerabilities. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its risk profile. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) reflects that the attack can be performed over the network with low complexity and no privileges or user interaction required, but the impact is limited to confidentiality loss of license and configuration data. No patches or known exploits have been reported yet, but the exposure of internal configuration details can be leveraged in targeted attacks or social engineering. The vulnerability was assigned and published by INCIBE on October 29, 2025.

For European organizations using Grupo Castilla's Epsilon RH, this vulnerability poses a risk of unauthorized disclosure of sensitive license and configuration information. Such data leakage can undermine confidentiality, potentially revealing internal software deployment details that attackers can use to tailor attacks or identify other vulnerabilities. While the vulnerability does not directly compromise system integrity or availability, the exposed information could facilitate lateral movement or privilege escalation attempts. Organizations in sectors with strict data protection requirements, such as finance, healthcare, or government, may face compliance risks if this information is leveraged in broader attacks. The ease of exploitation without authentication increases the likelihood of reconnaissance activities by malicious actors. Although no active exploits are known, the vulnerability could be targeted by opportunistic attackers or incorporated into multi-stage attack chains, especially in environments where Epsilon RH is widely deployed.

To mitigate CVE-2025-12461, organizations should immediately review and restrict access controls on the ‘…/epsilonnet/License/About.aspx’ endpoint to ensure it is not accessible without proper authentication and authorization. Implementing role-based access control (RBAC) or similar mechanisms to protect sensitive application paths is critical. Network-level controls such as web application firewalls (WAFs) can be configured to block unauthorized requests to this path. Monitoring and logging access to sensitive URLs should be enhanced to detect and respond to suspicious activity promptly. If possible, upgrade to a patched version once available or apply vendor-provided workarounds. Conduct internal audits of the application to identify other endpoints lacking adequate access controls. Additionally, educate IT staff and users about the risks of information disclosure and ensure that sensitive configuration details are not unnecessarily exposed in application responses or error messages.