CVE-2025-23971: CWE-862 Missing Authorization in whassan KI Live Video Conferences
Missing Authorization vulnerability in whassan KI Live Video Conferences allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects KI Live Video Conferences: from n/a through 5.5.15.
AI Analysis
Technical Summary
CVE-2025-23971 is a Missing Authorization vulnerability (CWE-862) found in the whassan KI Live Video Conferences product, affecting versions up to 5.5.15. This vulnerability arises from incorrectly configured access control security levels, allowing unauthorized users to perform actions or access resources that should be restricted. The vulnerability does not require authentication (PR:N) or user interaction (UI:N), and can be exploited remotely over the network (AV:N) with low attack complexity (AC:L). The impact is limited to integrity (I:L), meaning unauthorized modification or manipulation of data or conference settings is possible, but confidentiality and availability are not directly affected. The CVSS v3.1 base score is 5.3, categorized as medium severity. No known exploits are currently reported in the wild, and no patches or fixes have been linked yet. The vulnerability could allow attackers to interfere with live video conference sessions, potentially altering meeting parameters, injecting unauthorized content, or disrupting the intended flow of communication by unauthorized changes, which could undermine trust and operational security in sensitive communications.
Potential Impact
For European organizations, this vulnerability poses a moderate risk, especially for entities relying on KI Live Video Conferences for confidential or regulated communications, such as government bodies, financial institutions, healthcare providers, and large enterprises. Unauthorized integrity modifications could lead to misinformation, manipulation of meeting content, or unauthorized changes to participant permissions, which may result in compliance violations under GDPR or sector-specific regulations. Although confidentiality is not directly compromised, the integrity breach could indirectly affect decision-making processes and operational security. The lack of authentication requirement increases the risk of opportunistic attacks from external threat actors. Given the increasing reliance on video conferencing for remote work and cross-border collaboration in Europe, this vulnerability could disrupt business continuity and erode trust in communication platforms if exploited.
Mitigation Recommendations
Organizations using KI Live Video Conferences should immediately review and harden access control configurations to ensure proper authorization checks are enforced for all sensitive actions and resources. Network-level restrictions such as IP whitelisting or VPN access can reduce exposure. Monitoring and logging of conference activities should be enhanced to detect unusual or unauthorized modifications. Until an official patch is released, consider deploying compensating controls such as restricting conference creation and management privileges to trusted administrators only. User training to recognize and report suspicious conference behavior is also recommended. Regularly check for vendor updates or security advisories to apply patches promptly once available. Additionally, consider evaluating alternative video conferencing solutions with stronger security postures if the risk is unacceptable.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Belgium, Sweden
CVE-2025-23971: CWE-862 Missing Authorization in whassan KI Live Video Conferences
Description
Missing Authorization vulnerability in whassan KI Live Video Conferences allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects KI Live Video Conferences: from n/a through 5.5.15.
AI-Powered Analysis
Technical Analysis
CVE-2025-23971 is a Missing Authorization vulnerability (CWE-862) found in the whassan KI Live Video Conferences product, affecting versions up to 5.5.15. This vulnerability arises from incorrectly configured access control security levels, allowing unauthorized users to perform actions or access resources that should be restricted. The vulnerability does not require authentication (PR:N) or user interaction (UI:N), and can be exploited remotely over the network (AV:N) with low attack complexity (AC:L). The impact is limited to integrity (I:L), meaning unauthorized modification or manipulation of data or conference settings is possible, but confidentiality and availability are not directly affected. The CVSS v3.1 base score is 5.3, categorized as medium severity. No known exploits are currently reported in the wild, and no patches or fixes have been linked yet. The vulnerability could allow attackers to interfere with live video conference sessions, potentially altering meeting parameters, injecting unauthorized content, or disrupting the intended flow of communication by unauthorized changes, which could undermine trust and operational security in sensitive communications.
Potential Impact
For European organizations, this vulnerability poses a moderate risk, especially for entities relying on KI Live Video Conferences for confidential or regulated communications, such as government bodies, financial institutions, healthcare providers, and large enterprises. Unauthorized integrity modifications could lead to misinformation, manipulation of meeting content, or unauthorized changes to participant permissions, which may result in compliance violations under GDPR or sector-specific regulations. Although confidentiality is not directly compromised, the integrity breach could indirectly affect decision-making processes and operational security. The lack of authentication requirement increases the risk of opportunistic attacks from external threat actors. Given the increasing reliance on video conferencing for remote work and cross-border collaboration in Europe, this vulnerability could disrupt business continuity and erode trust in communication platforms if exploited.
Mitigation Recommendations
Organizations using KI Live Video Conferences should immediately review and harden access control configurations to ensure proper authorization checks are enforced for all sensitive actions and resources. Network-level restrictions such as IP whitelisting or VPN access can reduce exposure. Monitoring and logging of conference activities should be enhanced to detect unusual or unauthorized modifications. Until an official patch is released, consider deploying compensating controls such as restricting conference creation and management privileges to trusted administrators only. User training to recognize and report suspicious conference behavior is also recommended. Regularly check for vendor updates or security advisories to apply patches promptly once available. Additionally, consider evaluating alternative video conferencing solutions with stronger security postures if the risk is unacceptable.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Patchstack
- Date Reserved
- 2025-01-16T11:33:05.292Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6842f14971f4d251b5c95e96
Added to database: 6/6/2025, 1:46:49 PM
Last enriched: 7/7/2025, 7:58:35 PM
Last updated: 8/1/2025, 10:40:47 PM
Views: 20
Related Threats
CVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9087: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.