CVE-2025-13474 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the Menulux Software Inc. mobile application prior to version 9.5.8. The vulnerability stems from the app's failure to properly validate or restrict user-controlled keys used as trusted identifiers within its authorization logic. This flaw allows an unauthenticated remote attacker to manipulate these keys to gain unauthorized access to protected resources or data, bypassing normal authorization checks. The vulnerability is remotely exploitable over the network without requiring any privileges or user interaction, increasing its risk profile. The CVSS v3.1 base score of 7.5 reflects the ease of exploitation combined with a high impact on confidentiality, as sensitive user or business data could be exposed. However, the vulnerability does not impact data integrity or system availability. No public exploits have been reported yet, but the vulnerability is published and should be considered a significant risk for users of affected app versions. The lack of available patches at the time of reporting necessitates urgent vendor response and user mitigation.

For European organizations, this vulnerability poses a significant risk of unauthorized data disclosure, potentially exposing sensitive customer or business information managed through the Menulux mobile app. Sectors such as hospitality, retail, or any industry relying on Menulux solutions for mobile ordering or service management could face confidentiality breaches. This could lead to regulatory compliance issues under GDPR due to unauthorized access to personal data, reputational damage, and potential financial losses. Since the vulnerability does not affect integrity or availability, operational disruption is less likely, but the confidentiality impact alone warrants urgent attention. The remote, unauthenticated nature of the exploit increases the likelihood of attacks, especially in environments where the app is widely deployed and network access is available.

1. Immediately update the Menulux mobile app to version 9.5.8 or later once available, as this version addresses the authorization bypass issue. 2. Until patching is possible, restrict network access to the app’s backend services using network segmentation and firewall rules to limit exposure. 3. Conduct a thorough review and audit of authorization mechanisms within the app, focusing on the handling of user-controlled keys and trusted identifiers to ensure proper validation and access controls. 4. Implement monitoring and alerting for unusual access patterns or unauthorized data access attempts related to the app. 5. Educate users and administrators about the risk and encourage prompt application updates. 6. Coordinate with Menulux Software Inc. for timely patches and security advisories. 7. Consider deploying additional application-layer security controls such as Web Application Firewalls (WAF) to detect and block exploitation attempts targeting authorization logic.