CVE-2025-40660 is an Insecure Direct Object Reference (IDOR) vulnerability identified in the DM Corporative CMS developed by Dmacroweb. This vulnerability allows unauthorized access to private areas of the CMS by manipulating a user-controlled parameter. Specifically, an attacker can set the 'option' parameter to values 0, 1, or 2 within the URL path /administer/select node/data.asp?mode=catalogue&id1=1&id2=1session=&cod=1&networks=0 to bypass authorization controls. The vulnerability stems from improper authorization checks on user-supplied input, classified under CWE-639 (Authorization Bypass Through User-Controlled Key). The CVSS v4.0 base score is 6.9, indicating a medium severity level. The attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and no authentication (AT:N), making exploitation relatively straightforward. The impact is primarily on confidentiality, as unauthorized users can access restricted content or administrative functions without proper authorization. There is no indication of integrity or availability impact. No patches are currently available, and no known exploits have been reported in the wild. The vulnerability affects version 0 of the product, which may imply early or initial releases of the CMS. The lack of authentication or user interaction requirements increases the risk of automated exploitation attempts.

For European organizations using DM Corporative CMS, this vulnerability poses a significant risk to the confidentiality of sensitive administrative or private data managed within the CMS. Unauthorized access could lead to exposure of internal documents, user data, or configuration settings, potentially facilitating further attacks such as privilege escalation or data exfiltration. Organizations in sectors with strict data protection regulations, such as finance, healthcare, or government, may face compliance violations if sensitive data is exposed. Additionally, the ease of exploitation without authentication means attackers can remotely probe and exploit vulnerable installations, increasing the likelihood of compromise. The absence of known exploits currently reduces immediate risk but also means organizations must proactively address the vulnerability before it is weaponized. The impact on integrity and availability appears minimal based on current information, but unauthorized access could indirectly lead to further malicious activities.

Given the absence of official patches, European organizations should implement compensating controls immediately. These include: 1) Restricting access to the /administer/select node/data.asp endpoint via network-level controls such as IP whitelisting or VPN-only access to administrative interfaces. 2) Implementing web application firewalls (WAFs) with custom rules to detect and block requests manipulating the 'option' parameter with unauthorized values. 3) Conducting thorough access control reviews and hardening authorization logic within the CMS if source code or configuration access is available. 4) Monitoring web server logs for suspicious requests targeting the vulnerable endpoint and unusual parameter values. 5) Isolating the CMS environment from public networks where feasible. 6) Engaging with the vendor for updates or patches and planning for timely application once available. 7) Educating administrators about the vulnerability and enforcing strong operational security practices to detect and respond to potential exploitation attempts.