The vulnerability identified as CVE-2025-34411 affects the Convercent Whistleblowing Platform developed by EQS Group GmbH. The core issue is a missing authorization control (CWE-862) on the /GetLegalEntity API endpoint, which is accessible without authentication. This endpoint returns internal legal-entity names of customers based on a searchText parameter. An unauthenticated remote attacker can exploit this by submitting common legal suffixes (e.g., GmbH, Ltd, SARL) to enumerate tenant organizations using the platform. This enumeration discloses sensitive information about which companies have whistleblowing programs in place, revealing internal compliance structures and potentially sensitive business relationships. The vulnerability does not impact confidentiality, integrity, or availability of the platform directly but leaks metadata that can be leveraged for targeted attacks such as phishing or extortion. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges or user interaction required (PR:N/UI:N), and low impact on confidentiality (VC:L) with no impact on integrity or availability. No patches or known exploits are currently available, but the exposure of whistleblowing program participation can undermine trust and confidentiality critical to these systems. The vulnerability was published on December 15, 2025, and affects all versions of the product as indicated. The lack of authentication on this endpoint represents a significant design oversight in access control mechanisms.

For European organizations, the impact centers on the exposure of sensitive compliance and whistleblowing program participation data. Whistleblowing platforms are critical for regulatory compliance, corporate governance, and protecting employees who report misconduct. Disclosure of tenant legal entities can enable attackers to craft highly targeted phishing campaigns, social engineering attacks, or extortion attempts aimed at undermining these programs or extracting sensitive information. This could damage organizational reputation, reduce employee trust in whistleblowing mechanisms, and potentially lead to regulatory scrutiny if confidentiality is compromised. While the vulnerability does not directly allow data manipulation or service disruption, the indirect consequences of information disclosure can be severe, especially in sectors with stringent compliance requirements such as finance, healthcare, and government. European GDPR regulations also emphasize protecting personal and organizational data, and exposure of such metadata could raise compliance concerns. Organizations using Convercent must consider the reputational and operational risks associated with this vulnerability.

To mitigate CVE-2025-34411, organizations and EQS Group GmbH should implement strict access controls on the /GetLegalEntity API endpoint, ensuring it requires proper authentication and authorization before returning any data. Rate limiting and anomaly detection should be applied to detect and block enumeration attempts. EQS Group should issue patches or updates that enforce these controls and remove unauthenticated access. Organizations should audit their Convercent platform configurations to verify no public or unauthenticated endpoints expose sensitive information. Additionally, monitoring network traffic for unusual queries to this endpoint can help detect exploitation attempts. Employee awareness training should emphasize the risk of phishing and social engineering attacks leveraging this information. Finally, organizations should review their whistleblowing program communications to reinforce confidentiality assurances and prepare incident response plans for potential targeted attacks stemming from this vulnerability.