CVE-2025-47585 is a Missing Authorization vulnerability (CWE-862) identified in the Mage people team's Booking and Rental Manager software, affecting versions up to 2.3.8. This vulnerability arises because certain functionality within the application is not properly constrained by Access Control Lists (ACLs), allowing unauthorized users to access features or perform actions that should require specific permissions. According to the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) and a score of 6.5 (medium severity), the vulnerability can be exploited remotely over the network without any privileges or user interaction. The impact primarily affects the integrity and availability of the system, as unauthorized users can manipulate or disrupt booking and rental operations. Confidentiality is not impacted. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was reserved in early May 2025 and published in June 2025. The lack of proper authorization checks indicates a design or implementation flaw in the access control mechanisms of the Booking and Rental Manager product, which could be leveraged by attackers to bypass restrictions and perform unauthorized modifications or disruptions within the system.

For European organizations using the Mage people team Booking and Rental Manager, this vulnerability poses a significant risk to operational integrity and service availability. Unauthorized access to booking and rental management functions could lead to data manipulation, fraudulent bookings, service disruptions, or denial of service conditions. This can result in financial losses, reputational damage, and customer trust erosion, especially for businesses relying heavily on these systems for daily operations such as car rentals, property bookings, or equipment leasing. Given the remote and no-authentication exploitation vector, attackers could target these systems en masse, increasing the risk of widespread disruption. The absence of confidentiality impact reduces the risk of sensitive data leakage but does not diminish the operational threat. Organizations in sectors with high dependency on booking and rental workflows should prioritize addressing this vulnerability to maintain service continuity and compliance with regulatory requirements around operational resilience.

1. Immediate mitigation should include implementing strict access control policies at the application and network layers to restrict access to the Booking and Rental Manager system to trusted users and IP ranges only. 2. Conduct a thorough review and audit of all ACL configurations within the Booking and Rental Manager to identify and correct missing or improperly configured authorization checks. 3. Apply any available patches or updates from the vendor as soon as they are released. In the absence of patches, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized access attempts targeting vulnerable endpoints. 4. Implement robust monitoring and logging of access to critical functions within the application to detect anomalous or unauthorized activities promptly. 5. Educate system administrators and users about the risks and signs of exploitation attempts. 6. If feasible, isolate the Booking and Rental Manager system in a segmented network zone to limit potential lateral movement by attackers. 7. Engage with the vendor for timely updates and verify the integrity of future patches addressing this vulnerability.