CVE-2025-42602 is a medium-severity vulnerability affecting Meon KYC (Know Your Customer) solutions, specifically version 1.1. The root cause lies in insufficient session expiration and improper handling of access and refresh tokens within certain API endpoints involved in the authentication process. This vulnerability is categorized under CWE-613 (Insufficient Session Expiration) and CWE-384 (Session Fixation). An attacker can remotely exploit this flaw by intercepting and manipulating API request bodies, thereby gaining unauthorized access to other users' accounts. The vulnerability arises because the system fails to properly invalidate or expire session tokens, allowing an attacker to reuse or fixate sessions. This can lead to session hijacking without requiring user interaction or authentication, assuming the attacker can intercept API communications. The lack of proper token lifecycle management and session expiration means that once a token is compromised or manipulated, it remains valid longer than intended, increasing the attack window. Although no known exploits are currently reported in the wild, the vulnerability presents a significant risk to the confidentiality and integrity of user data within Meon KYC solutions. Given that KYC solutions handle sensitive personal and financial information, unauthorized access could lead to identity theft, fraud, and regulatory compliance violations. The vulnerability was publicly disclosed on April 23, 2025, with no available patches at the time of reporting, emphasizing the need for immediate mitigation measures.

For European organizations, the impact of this vulnerability can be substantial. Meon KYC solutions are likely integrated into financial institutions, fintech companies, and regulatory compliance platforms that process sensitive customer identity data. Unauthorized access to user accounts can lead to exposure of personally identifiable information (PII), financial data, and transaction histories, potentially resulting in identity fraud and financial losses. Additionally, compromised KYC data can undermine trust in compliance processes, leading to regulatory penalties under GDPR and other data protection laws. The integrity of authentication mechanisms is critical for maintaining secure onboarding and transaction approval workflows; exploitation of this vulnerability could allow attackers to bypass these controls. Furthermore, the availability of services might be indirectly affected if organizations need to suspend or restrict KYC operations to address the vulnerability. The medium severity rating reflects a moderate ease of exploitation combined with significant potential impact on confidentiality and integrity, particularly in sectors where KYC is mandatory. European organizations relying on Meon KYC solutions must consider the reputational damage and legal consequences of breaches stemming from this vulnerability.

Given the absence of an official patch, European organizations should implement immediate compensating controls. First, enforce strict network-level protections such as TLS encryption with certificate pinning to prevent interception and manipulation of API requests. Employ Web Application Firewalls (WAFs) to detect and block anomalous API traffic patterns indicative of token manipulation. Implement short-lived token lifetimes and require frequent re-authentication to reduce the window of token validity. Monitor authentication logs for unusual session activities, such as multiple concurrent sessions from different IP addresses or rapid token refresh requests. Where possible, apply additional multi-factor authentication (MFA) layers on top of the KYC solution to mitigate unauthorized access risks. Conduct thorough security reviews of API endpoints and consider isolating the vulnerable components until a vendor patch is available. Engage with Meon to obtain timelines for official fixes and request detailed guidance. Finally, educate users and administrators about the risks of session hijacking and encourage prompt reporting of suspicious account activities.