CVE-2025-12766 is an authorization bypass vulnerability categorized under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting BlackBerry AtHoc (OnPrem) version 7.21. The vulnerability arises from an Insecure Direct Object Reference (IDOR) in the Management Console of the Interactive Warning System (IWS). Specifically, the system fails to properly validate user-controlled keys when accessing organizational data, allowing an attacker with limited privileges to access information about other organizations hosted on the same platform. This flaw does not permit modification or deletion of data but exposes confidential information that could be leveraged for further attacks or intelligence gathering. The vulnerability is remotely exploitable over the network without user interaction but requires some level of privileges (PR:L) to access the management console. The CVSS 3.1 base score is 5.0, reflecting a medium severity level due to the limited confidentiality impact and no impact on integrity or availability. No known exploits are currently reported in the wild. The vulnerability highlights the importance of strict access control validation and proper authorization checks in multi-tenant environments like AtHoc, which is widely used for emergency communication and crisis management in government and critical infrastructure sectors.

For European organizations, the primary impact is unauthorized disclosure of sensitive organizational information hosted on the same BlackBerry AtHoc IWS platform. This exposure could aid threat actors in reconnaissance, enabling more targeted attacks or social engineering campaigns. While the vulnerability does not allow data modification or service disruption, the leakage of confidential information could undermine trust and operational security, especially in sectors such as government, emergency services, and critical infrastructure. Given AtHoc's role in crisis communication, any compromise of confidentiality could have downstream effects on emergency preparedness and response coordination. Organizations relying on AtHoc OnPrem 7.21 should consider the risk of information leakage as a significant concern, particularly where multiple organizations share the same platform instance.

1. Apply vendor patches immediately once they become available to address the authorization bypass vulnerability. 2. Until patches are released, restrict access to the AtHoc Management Console to a minimal set of trusted administrators using network segmentation and strong access controls. 3. Implement strict role-based access controls (RBAC) and audit logging to detect and prevent unauthorized access attempts. 4. Monitor network traffic and management console logs for unusual or unauthorized access patterns that may indicate exploitation attempts. 5. Conduct regular security assessments and penetration testing focused on multi-tenant access controls within the AtHoc environment. 6. Educate administrators on the risks of IDOR vulnerabilities and the importance of validating user inputs and keys. 7. Consider isolating organizational instances or deploying separate AtHoc environments for different organizations if feasible to reduce cross-tenant exposure.