CVE-2025-24691 identifies a missing authorization vulnerability in the ctltwp People Lists software, affecting all versions up to and including 1.3.10. The core issue stems from incorrectly configured access control security levels, which fail to properly enforce authorization checks on user requests. This misconfiguration allows unauthorized actors to bypass intended access restrictions and interact with people list data that should be protected. The vulnerability does not require authentication or user interaction, increasing its exploitability. Although no exploits have been reported in the wild, the flaw presents a critical security gap that could lead to unauthorized data disclosure or modification. The absence of a CVSS score suggests the need for an expert severity assessment, which indicates a high risk due to the potential impact on confidentiality and integrity, combined with ease of exploitation. The vulnerability was published on January 24, 2025, with no patches currently available, highlighting the urgency for organizations to implement compensating controls. The affected product, ctltwp People Lists, is used for managing people-related data, making the confidentiality and integrity of this information paramount. Attackers exploiting this vulnerability could gain unauthorized access to sensitive personal or organizational data, potentially leading to privacy violations, data leaks, or further attacks leveraging the exposed information.

The missing authorization vulnerability in ctltwp People Lists can have severe consequences for organizations worldwide. Unauthorized access to people list data can lead to exposure of sensitive personal or organizational information, violating privacy regulations and damaging trust. Integrity of data may be compromised if attackers modify or delete entries, potentially disrupting business operations or decision-making processes. The lack of authentication requirements lowers the barrier for exploitation, increasing the likelihood of attacks. Organizations relying on People Lists for critical personnel management or communication functions may face operational disruptions or reputational harm. Additionally, attackers could use the exposed data as a foothold for further attacks, such as social engineering or lateral movement within networks. The absence of patches means organizations must rely on interim mitigations, increasing their risk exposure. Overall, this vulnerability threatens confidentiality, integrity, and potentially availability if exploited at scale or combined with other attack vectors.

Organizations using ctltwp People Lists should immediately audit and tighten access control configurations to ensure proper authorization enforcement. Restrict network access to the People Lists component to trusted users and systems only, using network segmentation and firewall rules. Monitor logs and user activity for unusual access patterns or unauthorized data retrieval attempts. Engage with the vendor or ctltwp community to obtain updates or patches as soon as they become available. If possible, disable or limit features related to people lists until a secure version is deployed. Implement multi-factor authentication and strong identity management around systems interfacing with People Lists to reduce risk. Conduct regular security assessments and penetration testing focused on access control mechanisms. Prepare incident response plans to quickly address any exploitation attempts. Finally, educate staff about the risks and signs of unauthorized access to sensitive personnel data.