CVE-2025-13164 identifies a vulnerability in Digiwin EasyFlow GP version 5.8.8.3, where credentials for Active Directory (AD) and system mail accounts are insufficiently protected, allowing privileged remote attackers to retrieve them in plaintext from the system frontend. This vulnerability is categorized under CWE-522, which concerns the inadequate protection of credentials in storage or transit. The flaw enables attackers with privileged network access to extract sensitive authentication data without requiring user interaction or additional authentication steps. The CVSS 4.0 vector (AV:N/AC:L/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) indicates that the attack is network-based with low complexity, no user interaction, but requires high privileges. The impact is primarily on confidentiality, as attackers can obtain plaintext credentials that could be used for further lateral movement or privilege escalation within an enterprise environment. No patches are currently linked, and no known exploits are reported in the wild, but the exposure of plaintext credentials represents a significant risk if exploited. Digiwin EasyFlow GP is an enterprise workflow and process management product, often integrated with AD and mail systems, making the protection of these credentials critical to maintaining overall system security.

For European organizations, the exposure of plaintext AD and mail system credentials can lead to severe consequences including unauthorized access to critical enterprise resources, data breaches, and potential disruption of business operations. Compromise of AD credentials can enable attackers to move laterally within corporate networks, escalate privileges, and access sensitive data or systems. The theft of system mail credentials could facilitate interception or manipulation of corporate communications, increasing the risk of phishing or fraud. Given the integration of EasyFlow GP in enterprise workflows, exploitation could undermine trust in automated processes and impact compliance with data protection regulations such as GDPR. The medium severity rating reflects the necessity of privileged access to exploit the vulnerability, but once exploited, the confidentiality impact is high. European organizations with complex AD environments and reliance on Digiwin products are particularly vulnerable to these risks.

Organizations should immediately audit and restrict privileged access to Digiwin EasyFlow GP systems to minimize exposure. Until official patches are released, consider isolating the affected system frontend from untrusted networks and enforcing strict network segmentation. Encrypt stored credentials and implement credential vaulting solutions to prevent plaintext storage. Enable detailed logging and continuous monitoring for unusual access patterns or credential extraction attempts. Conduct regular security assessments and penetration tests focusing on credential management. Educate administrators on the risks of credential exposure and enforce strong password policies and multi-factor authentication for privileged accounts. Once Digiwin releases patches or updates addressing this vulnerability, prioritize their deployment. Additionally, review and harden integration points between EasyFlow GP, AD, and mail systems to reduce attack surface.