CVE-2025-13474 identifies an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) in the Menulux Software Inc. Mobile App. The vulnerability exists in versions prior to 9.5.8 and stems from the application's failure to properly validate or restrict user-controlled keys used as trusted identifiers for authorization decisions. Attackers can manipulate these keys to gain unauthorized access to protected resources or data without needing any authentication or user interaction. The vulnerability is remotely exploitable over the network with low complexity, meaning an attacker can exploit it without specialized conditions or privileges. The CVSS v3.1 score of 7.5 reflects a high severity level, primarily due to the high impact on confidentiality, while integrity and availability remain unaffected. No known exploits have been reported in the wild as of the publication date (December 16, 2025). The lack of patch links suggests that a fixed version (9.5.8 or later) is available but not explicitly linked in the provided data. The vulnerability poses a significant risk to any organization relying on the affected Menulux mobile app, as unauthorized data disclosure could lead to privacy violations, regulatory non-compliance, and reputational damage.

For European organizations, this vulnerability could lead to unauthorized access to sensitive or confidential data managed through the Menulux mobile app, potentially exposing customer information, internal communications, or proprietary data. The breach of confidentiality could result in violations of GDPR and other data protection regulations, leading to legal penalties and loss of customer trust. Since the vulnerability does not affect integrity or availability, operational disruption is less likely; however, the exposure of sensitive data alone can have severe consequences. Organizations in sectors such as hospitality, retail, or services that utilize Menulux's mobile solutions for customer engagement or internal operations are particularly at risk. The ease of remote exploitation without authentication increases the threat landscape, making it feasible for external attackers to target vulnerable endpoints. The absence of known exploits in the wild provides a window for proactive mitigation but also underscores the need for vigilance as attackers may develop exploits in the future.

1. Immediately update the Menulux Mobile App to version 9.5.8 or later, where the vulnerability is addressed. 2. Implement strict server-side validation of all authorization keys and trusted identifiers to ensure they cannot be manipulated by users. 3. Employ robust access control mechanisms that do not rely solely on client-supplied keys for authorization decisions. 4. Conduct regular security audits and penetration testing focused on authorization logic within the app and backend services. 5. Monitor network traffic and application logs for unusual access patterns or attempts to exploit authorization mechanisms. 6. Educate development teams on secure coding practices related to authorization and key management to prevent similar vulnerabilities. 7. Coordinate with Menulux Software Inc. for timely security updates and advisories. 8. For organizations with custom integrations, review and harden API endpoints to reject unauthorized requests even if keys are manipulated.