CVE-2025-28996 is a medium-severity security vulnerability classified under CWE-862 (Missing Authorization) affecting the GPP Slideshow product developed by Thad Allender, specifically versions up to 1.3.5. This vulnerability arises due to improperly configured access control mechanisms, allowing an attacker with some level of privileges (PR:L - Privileges Required: Low) but no user interaction (UI:N) to exploit missing authorization checks. The vulnerability is remotely exploitable (AV:N - Attack Vector: Network) without requiring user interaction, and it impacts the integrity of the system (I:L - Integrity Low) but does not affect confidentiality or availability. Essentially, an attacker with limited privileges can perform unauthorized actions or access functionality that should be restricted, potentially modifying slideshow content or configurations without proper authorization. The scope of the vulnerability is unchanged (S:U), meaning the impact is confined to the vulnerable component without affecting other system components. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was officially published on June 6, 2025, with a CVSS v3.1 base score of 4.3, indicating a medium-level risk. The root cause is an incorrect or missing authorization check in the GPP Slideshow application, which could lead to privilege escalation or unauthorized modifications within the application context.

For European organizations using GPP Slideshow, this vulnerability could lead to unauthorized modification of slideshow content or configurations, potentially undermining the integrity of presentations or digital signage systems. While the confidentiality and availability are not directly impacted, the integrity compromise could result in misinformation, defacement, or manipulation of displayed content, which might affect corporate communications, marketing, or internal messaging. Organizations in sectors relying heavily on digital signage or presentation tools—such as retail, education, and corporate environments—may face reputational damage or operational disruptions. Since exploitation requires low privileges but no user interaction, insider threats or attackers who have gained limited access could leverage this vulnerability to escalate their control within the application. The absence of known exploits in the wild reduces immediate risk, but the lack of patches necessitates caution. The impact is more pronounced in environments where GPP Slideshow is integrated with critical business processes or public-facing displays.

To mitigate this vulnerability, European organizations should first inventory their use of GPP Slideshow and identify affected versions (up to 1.3.5). Until an official patch is released, organizations should implement strict access controls to limit user privileges, ensuring that only trusted users have low-level access to the application. Network segmentation and firewall rules should restrict access to the GPP Slideshow management interfaces to authorized personnel only. Monitoring and logging of user actions within the application should be enhanced to detect unauthorized modifications promptly. Additionally, organizations can consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the slideshow management endpoints. If feasible, temporarily disabling or restricting the use of GPP Slideshow features that allow content modification can reduce exposure. Finally, organizations should maintain close communication with the vendor for patch releases and apply updates promptly once available.