CVE-2025-47457: CWE-862 Missing Authorization in dgamoni LocateAndFilter
Missing Authorization vulnerability in dgamoni LocateAndFilter allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects LocateAndFilter: from n/a through 1.6.16.
AI Analysis
Technical Summary
CVE-2025-47457 is a security vulnerability classified under CWE-862, indicating a Missing Authorization issue in the dgamoni product LocateAndFilter. This vulnerability allows unauthorized users to access functionality that is not properly constrained by Access Control Lists (ACLs). Specifically, the affected function is LocateAndFilter, with versions up to 1.6.16 impacted. The vulnerability permits remote attackers to invoke certain functions without proper authorization checks, as indicated by the CVSS vector AV:N/AC:L/PR:N/UI:N, meaning the attack can be performed over the network without any privileges or user interaction. The impact on confidentiality is limited (C:L), with no impact on integrity or availability. This suggests that unauthorized access could lead to information disclosure but not modification or denial of service. The lack of authentication and user interaction requirements makes exploitation easier, but the scope is limited to information leakage rather than full system compromise. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published recently in May 2025, and the vendor project is dgamoni, which may be a specialized software provider. The absence of affected version details beyond "n/a through 1.6.16" suggests that the issue is present in all versions up to 1.6.16, with no indication of later fixed versions. Overall, this vulnerability represents a moderate risk due to unauthorized information access via missing authorization controls in a network-exposed function.
Potential Impact
For European organizations using dgamoni's LocateAndFilter product, this vulnerability could lead to unauthorized disclosure of sensitive information accessible through the LocateAndFilter functionality. Although the impact is limited to confidentiality and does not affect integrity or availability, the exposure of sensitive data could have regulatory and reputational consequences, especially under GDPR requirements. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely on this software may face increased risk of data leakage. The ease of exploitation without authentication or user interaction increases the threat level, as attackers can remotely probe and extract information without needing credentials. However, since no known exploits are currently reported, the immediate risk may be moderate but could escalate if exploit code becomes available. The lack of patches means organizations must rely on compensating controls until updates are released. Overall, the vulnerability poses a moderate confidentiality risk that could facilitate further attacks or data breaches if leveraged in a targeted campaign against European entities.
Mitigation Recommendations
1. Implement strict network-level access controls to limit exposure of the LocateAndFilter service to trusted internal networks or VPNs, reducing the attack surface. 2. Employ Web Application Firewalls (WAFs) or Intrusion Detection/Prevention Systems (IDS/IPS) with custom rules to detect and block unauthorized attempts to access LocateAndFilter functionality. 3. Conduct thorough access reviews and ensure that any custom ACLs or authorization mechanisms supplement the default controls, compensating for the missing authorization in the vulnerable function. 4. Monitor logs for unusual or unauthorized access patterns related to LocateAndFilter and establish alerting for suspicious activities. 5. Engage with the vendor (dgamoni) for timely updates and patches; prioritize patching once available. 6. If possible, disable or restrict the LocateAndFilter feature temporarily until a fix is applied, especially in high-risk environments. 7. Educate security teams about this vulnerability to enhance detection and response capabilities. 8. Perform penetration testing focused on authorization controls to identify any other potential gaps in the environment.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden
CVE-2025-47457: CWE-862 Missing Authorization in dgamoni LocateAndFilter
Description
Missing Authorization vulnerability in dgamoni LocateAndFilter allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects LocateAndFilter: from n/a through 1.6.16.
AI-Powered Analysis
Technical Analysis
CVE-2025-47457 is a security vulnerability classified under CWE-862, indicating a Missing Authorization issue in the dgamoni product LocateAndFilter. This vulnerability allows unauthorized users to access functionality that is not properly constrained by Access Control Lists (ACLs). Specifically, the affected function is LocateAndFilter, with versions up to 1.6.16 impacted. The vulnerability permits remote attackers to invoke certain functions without proper authorization checks, as indicated by the CVSS vector AV:N/AC:L/PR:N/UI:N, meaning the attack can be performed over the network without any privileges or user interaction. The impact on confidentiality is limited (C:L), with no impact on integrity or availability. This suggests that unauthorized access could lead to information disclosure but not modification or denial of service. The lack of authentication and user interaction requirements makes exploitation easier, but the scope is limited to information leakage rather than full system compromise. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published recently in May 2025, and the vendor project is dgamoni, which may be a specialized software provider. The absence of affected version details beyond "n/a through 1.6.16" suggests that the issue is present in all versions up to 1.6.16, with no indication of later fixed versions. Overall, this vulnerability represents a moderate risk due to unauthorized information access via missing authorization controls in a network-exposed function.
Potential Impact
For European organizations using dgamoni's LocateAndFilter product, this vulnerability could lead to unauthorized disclosure of sensitive information accessible through the LocateAndFilter functionality. Although the impact is limited to confidentiality and does not affect integrity or availability, the exposure of sensitive data could have regulatory and reputational consequences, especially under GDPR requirements. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely on this software may face increased risk of data leakage. The ease of exploitation without authentication or user interaction increases the threat level, as attackers can remotely probe and extract information without needing credentials. However, since no known exploits are currently reported, the immediate risk may be moderate but could escalate if exploit code becomes available. The lack of patches means organizations must rely on compensating controls until updates are released. Overall, the vulnerability poses a moderate confidentiality risk that could facilitate further attacks or data breaches if leveraged in a targeted campaign against European entities.
Mitigation Recommendations
1. Implement strict network-level access controls to limit exposure of the LocateAndFilter service to trusted internal networks or VPNs, reducing the attack surface. 2. Employ Web Application Firewalls (WAFs) or Intrusion Detection/Prevention Systems (IDS/IPS) with custom rules to detect and block unauthorized attempts to access LocateAndFilter functionality. 3. Conduct thorough access reviews and ensure that any custom ACLs or authorization mechanisms supplement the default controls, compensating for the missing authorization in the vulnerable function. 4. Monitor logs for unusual or unauthorized access patterns related to LocateAndFilter and establish alerting for suspicious activities. 5. Engage with the vendor (dgamoni) for timely updates and patches; prioritize patching once available. 6. If possible, disable or restrict the LocateAndFilter feature temporarily until a fix is applied, especially in high-risk environments. 7. Educate security teams about this vulnerability to enhance detection and response capabilities. 8. Perform penetration testing focused on authorization controls to identify any other potential gaps in the environment.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Patchstack
- Date Reserved
- 2025-05-07T09:38:48.851Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d981bc4522896dcbd9855
Added to database: 5/21/2025, 9:08:43 AM
Last enriched: 7/5/2025, 1:41:07 PM
Last updated: 8/11/2025, 5:45:53 AM
Views: 11
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.