CVE-2025-41358 is an authorization bypass vulnerability categorized under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting i2A's CronosWeb product, specifically versions 24.05 and 25.00 prior to patch 25.00.00.12. The vulnerability arises from insufficient validation of the 'documentCode' parameter in the endpoint '/CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonas'. Authenticated users with low privileges can manipulate this parameter to access documents belonging to other users, bypassing intended access controls. This is a classic Insecure Direct Object Reference (IDOR) flaw, where the application trusts user-supplied input to reference sensitive resources without proper authorization checks. The CVSS 4.0 score is 8.3 (high), reflecting network attack vector, low attack complexity, no privileges required beyond authentication, no user interaction, and a high impact on confidentiality. The vulnerability does not affect integrity or availability but compromises sensitive document confidentiality. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be considered exploitable. The vulnerability was reserved in April 2025 and published in December 2025, with INCIBE as the assigner. The affected versions are widely used in various European organizations for document management, making this a significant risk for unauthorized data disclosure.

For European organizations, this vulnerability poses a serious risk to the confidentiality of sensitive documents managed within CronosWeb. Unauthorized access to personal, corporate, or regulated data could lead to data breaches, regulatory non-compliance (e.g., GDPR violations), reputational damage, and potential financial penalties. Sectors such as government, healthcare, finance, and critical infrastructure that rely on CronosWeb for document handling are particularly vulnerable. The ability for an attacker to access other users' documents without elevated privileges or user interaction increases the likelihood of exploitation. This could facilitate insider threats or external attackers who have obtained valid credentials. The breach of confidentiality could also enable further attacks, such as social engineering or targeted phishing campaigns. Given the high CVSS score and the nature of the data involved, the impact on European organizations is substantial, especially where sensitive personal or classified information is stored.

1. Immediately apply the official patch or upgrade CronosWeb to version 25.00.00.12 or later, where the vulnerability is fixed. 2. If patching is not immediately possible, implement strict server-side validation of the 'documentCode' parameter to ensure that users can only access documents they are authorized to view. 3. Conduct a thorough audit of access control mechanisms across all document-related endpoints to detect and remediate similar IDOR issues. 4. Monitor logs for unusual access patterns or repeated attempts to manipulate document identifiers. 5. Enforce strong authentication and session management controls to reduce the risk of credential compromise. 6. Educate users about the risks of credential sharing and phishing to prevent attackers from gaining authenticated access. 7. Consider implementing additional application-layer access controls, such as attribute-based access control (ABAC), to complement existing mechanisms. 8. Review and update incident response plans to quickly address any exploitation attempts. 9. Engage with i2A support or security teams for guidance and to receive timely updates on any further advisories.