CVE-2025-41098 is a high-severity vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the BOLD Workplanner product developed by GLOBAL PLANNING SOLUTIONS S.L (GPS). The vulnerability exists in versions prior to 2.5.25, specifically identified in version 2.5.24. It arises from an Insecure Direct Object Reference (IDOR) flaw within the general enquiry web service of the application. This flaw allows an attacker with limited privileges (PR:L - privileges required) but no authentication or user interaction (AT:N, UI:N) to bypass authorization controls by manipulating user-controlled keys or parameters. The vulnerability is remotely exploitable over the network (AV:N) with low attack complexity (AC:L). The impact is primarily on confidentiality (VC:H), with no direct impact on integrity or availability. The vulnerability does not require authentication or user interaction, increasing its risk profile. Although no known exploits are currently reported in the wild, the vulnerability's characteristics suggest it could be leveraged to access sensitive data or information that should be restricted, potentially exposing confidential planning or scheduling information managed by the BOLD Workplanner system. The lack of a patch link indicates that a fix may not yet be publicly available or is pending release. Organizations using affected versions should consider this vulnerability a significant risk to their data confidentiality and take immediate steps to mitigate exposure.

For European organizations, the impact of CVE-2025-41098 could be substantial, especially for those relying on BOLD Workplanner for critical workforce scheduling and planning operations. Unauthorized access to sensitive scheduling data could lead to exposure of personal employee information, operational plans, or strategic business data. This could result in privacy violations under GDPR, reputational damage, and potential regulatory penalties. Additionally, adversaries could use the information gained to facilitate further attacks such as social engineering or targeted intrusions. The confidentiality breach could disrupt trust between employees and management or between business partners. Since the vulnerability does not affect integrity or availability directly, operational disruption may be limited; however, the exposure of sensitive data alone is a serious concern. The remote and unauthenticated nature of the exploit increases the risk of widespread exploitation if the vulnerability is weaponized, particularly in sectors with high reliance on workforce planning tools such as manufacturing, logistics, healthcare, and public services.

To mitigate CVE-2025-41098, European organizations should immediately upgrade BOLD Workplanner to version 2.5.25 or later once available, as this is the only definitive fix. Until a patch is released, organizations should implement strict network-level access controls to restrict access to the general enquiry web service, limiting it to trusted internal IP addresses or VPN users. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious parameter manipulation attempts targeting the enquiry service. Conduct thorough audits of user permissions to ensure least privilege principles are enforced, minimizing the number of users with access to sensitive enquiry functions. Monitor logs for unusual access patterns or repeated failed attempts to access unauthorized data. Additionally, consider isolating the BOLD Workplanner environment from the internet or untrusted networks to reduce exposure. Engage with the vendor for timely updates and advisories. Finally, prepare incident response plans to quickly address any potential data exposure incidents stemming from this vulnerability.