CVE-2025-40661 is an Insecure Direct Object Reference (IDOR) vulnerability identified in the DM Corporative CMS developed by Dmacroweb. The vulnerability arises due to improper authorization checks in the /administer/selectionnode/selection.asp endpoint, where an attacker can manipulate the 'option' parameter by setting it to values 0, 1, or 2 to gain unauthorized access to private areas of the CMS. This vulnerability is classified under CWE-639, which refers to Authorization Bypass Through User-Controlled Key, indicating that the system fails to properly validate user permissions when accessing resources based on user-supplied keys or parameters. The CVSS 4.0 base score is 6.9 (medium severity), reflecting that the vulnerability can be exploited remotely without authentication or user interaction, with low attack complexity and no impact on confidentiality, integrity, or availability beyond unauthorized access to restricted areas. Although no known exploits are currently reported in the wild and no patches have been published, the vulnerability presents a risk of unauthorized data exposure or manipulation within the CMS's private administrative sections. The affected version is listed as '0', which likely refers to an initial or specific version of the DM Corporative CMS. The vulnerability was published on June 10, 2025, and assigned by INCIBE, a recognized cybersecurity entity. Given the nature of the vulnerability, attackers could potentially leverage this flaw to access sensitive administrative functions or data, which could lead to further exploitation or data breaches if combined with other vulnerabilities or misconfigurations.

For European organizations using DM Corporative CMS, this vulnerability poses a moderate risk primarily related to unauthorized access to private administrative areas. The impact includes potential exposure of sensitive business data, unauthorized configuration changes, or access to user information managed within the CMS. Although the vulnerability does not directly compromise confidentiality, integrity, or availability at a high level, unauthorized access to administrative functions can facilitate lateral movement or privilege escalation attacks. Organizations in sectors with strict data protection regulations, such as finance, healthcare, or government, could face compliance issues or reputational damage if unauthorized access leads to data leaks. Additionally, since the vulnerability requires no authentication and can be exploited remotely, it increases the attack surface for threat actors targeting European entities using this CMS. The absence of known exploits in the wild currently reduces immediate risk, but the medium severity rating and ease of exploitation warrant prompt attention to prevent future attacks.

Given the lack of an official patch, European organizations should implement the following specific mitigations: 1) Restrict access to the /administer/selectionnode/selection.asp endpoint using network-level controls such as IP whitelisting or VPN access to limit exposure to trusted administrators only. 2) Implement web application firewall (WAF) rules to detect and block requests with suspicious 'option' parameter values (0, 1, 2) or unusual access patterns targeting the vulnerable endpoint. 3) Conduct thorough access control reviews and enforce strict authorization checks within the CMS, ensuring that user-supplied parameters cannot bypass permission validations. 4) Monitor logs for anomalous access attempts to the selection.asp page and alert on unauthorized access patterns. 5) Engage with the vendor (Dmacroweb) to obtain or request a security patch or update that addresses the IDOR vulnerability. 6) If feasible, consider isolating or replacing the affected CMS with a more secure alternative until a fix is available. 7) Educate administrators on the risks of exposing administrative interfaces publicly and enforce strong authentication and session management practices to reduce the risk of exploitation.