CVE-2025-41358 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting i2A's CronosWeb product versions prior to 25.00.00.12, specifically versions 24.05 and 25.00. The vulnerability arises from insufficient validation of the 'documentCode' parameter in the endpoint '/CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonas'. An authenticated attacker can manipulate this parameter to access documents belonging to other users, bypassing intended access controls. This is a classic Insecure Direct Object Reference (IDOR) flaw where the application trusts user-supplied keys without proper authorization checks. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required beyond authentication (PR:L), no user interaction (UI:N), and high impact on confidentiality (VC:H) with no impact on integrity or availability. The vulnerability is critical in environments where sensitive personal or corporate documents are managed, as unauthorized access can lead to data leakage and compliance violations. Although no exploits are currently known in the wild, the ease of exploitation and high confidentiality impact make it a significant threat. The vulnerability was reserved in April 2025 and published in December 2025, with INCIBE as the assigner. No official patches are linked yet, so organizations must implement compensating controls promptly.

For European organizations, the primary impact is unauthorized disclosure of sensitive documents, which can include personal data protected under GDPR or confidential corporate information. This breach of confidentiality can lead to regulatory penalties, reputational damage, and loss of customer trust. Since CronosWeb is used in document management, sectors such as finance, healthcare, legal, and government are particularly at risk. The vulnerability does not affect integrity or availability directly but compromises data privacy significantly. The requirement for authentication limits exposure to insiders or compromised accounts, but the low complexity and lack of user interaction mean attackers can exploit this vulnerability rapidly once authenticated. This could facilitate insider threats or lateral movement within networks. The absence of known exploits in the wild suggests a window for proactive defense, but the high CVSS score indicates urgency. Organizations handling large volumes of sensitive documents must consider this a critical risk to their information security posture.

1. Immediately audit and restrict access controls on the 'documentCode' parameter to ensure server-side authorization checks validate user permissions before granting access to documents. 2. Implement strict input validation and enforce least privilege principles in the application logic to prevent unauthorized document retrieval. 3. Monitor access logs for unusual patterns, such as users accessing documents outside their typical scope or volume spikes in document retrieval requests. 4. If patches become available from i2A, prioritize their deployment in all affected environments. 5. Employ multi-factor authentication (MFA) to reduce the risk of compromised credentials being used to exploit this vulnerability. 6. Conduct regular security assessments and penetration testing focusing on access control mechanisms within CronosWeb. 7. Educate users and administrators about the risks of IDOR vulnerabilities and encourage prompt reporting of suspicious activity. 8. Consider implementing Web Application Firewalls (WAFs) with custom rules to detect and block manipulation attempts of the 'documentCode' parameter. 9. Segregate sensitive document repositories and apply additional encryption or access controls at the storage level as a defense-in-depth measure.