CVE-2025-47612 is a medium-severity vulnerability classified under CWE-862 (Missing Authorization) affecting the ClickWhale product developed by flowdee, up to version 2.4.6. The vulnerability arises from improperly configured access control mechanisms, allowing an attacker with some level of privileges (PR:L - privileges required low) to exploit missing authorization checks in the application’s workflow. This flaw does not require user interaction (UI:N) and can be exploited remotely over the network (AV:N) with low attack complexity (AC:L). The vulnerability impacts the integrity and availability of the system but does not affect confidentiality. Specifically, an attacker can perform unauthorized actions that modify data or disrupt service availability due to the lack of proper authorization enforcement in certain application flows. The CVSS v3.1 base score is 5.4, indicating a medium severity level. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on May 7, 2025, and has been enriched by CISA, indicating recognition by cybersecurity authorities. The absence of a patch suggests that organizations using ClickWhale should prioritize mitigation and monitoring until an official fix is released.

For European organizations, the impact of this vulnerability can be significant depending on the role of ClickWhale within their IT infrastructure. Since the flaw allows unauthorized modification and potential disruption of services, it could lead to data integrity issues, operational downtime, or service degradation. Organizations relying on ClickWhale for critical business processes or customer-facing applications may experience interruptions or unauthorized changes that could affect business continuity and trust. Although confidentiality is not directly impacted, the integrity and availability compromise could indirectly affect compliance with European data protection regulations such as GDPR, especially if service disruptions affect data processing activities. The medium severity rating suggests that while the threat is not immediately critical, it should not be ignored, particularly in sectors with high availability requirements such as finance, healthcare, and public services.

Given the lack of an official patch, European organizations should implement compensating controls immediately. These include: 1) Restricting access to ClickWhale to only trusted and necessary users, minimizing the number of accounts with privileges that could exploit this vulnerability. 2) Implementing network segmentation and firewall rules to limit exposure of ClickWhale services to untrusted networks. 3) Enhancing monitoring and logging around ClickWhale’s access control and workflow activities to detect anomalous or unauthorized actions promptly. 4) Conducting thorough access reviews and tightening role-based access controls (RBAC) within ClickWhale to ensure least privilege principles are enforced. 5) Preparing incident response plans specific to potential exploitation scenarios of this vulnerability. Once a patch is released, organizations should prioritize timely deployment. Additionally, engaging with the vendor for updates and guidance is recommended.