CVE-2025-4762 is an Improper Input Validation vulnerability categorized under CWE-20, affecting the eSignaViewer component of the Lleidanet PKI eSigna product versions 1.0 to 1.5 across all platforms. The vulnerability manifests as an Insecure Direct Object Reference (IDOR), allowing an unauthenticated attacker to manipulate file paths and object identifiers to access arbitrary files within the document system. This means that by crafting specific requests targeting the eSignaViewer, an attacker can bypass access controls and retrieve files that should be restricted, potentially exposing sensitive documents. The vulnerability does not require authentication, increasing its risk profile, but the CVSS 4.0 vector indicates a high attack complexity (AC:H) and low confidentiality impact (VC:L), with no impact on integrity or availability. User interaction is required (UI:A), and the attacker needs low privileges (PR:L), which suggests some form of limited access or interaction is necessary, possibly through a user-initiated action. The vulnerability is currently not known to be exploited in the wild, and no patches have been linked yet. The low CVSS score (2) reflects the limited impact and complexity, but the ability to access arbitrary files without authentication still poses a security concern, especially for organizations handling sensitive or regulated data.

For European organizations, the impact of this vulnerability depends largely on the sensitivity of the documents managed by the eSigna system. Since eSigna is a PKI-based electronic signature solution, it likely handles legally binding documents, contracts, and identity verification materials. Unauthorized access to such files could lead to data breaches involving personal data, intellectual property, or confidential business information, potentially violating GDPR and other data protection regulations. Although the confidentiality impact is rated low, even limited unauthorized file access can have serious compliance and reputational consequences. The lack of integrity or availability impact reduces the risk of service disruption or data tampering, but the exposure of sensitive documents alone is a critical concern. European organizations in sectors such as legal, finance, government, and healthcare that rely on eSigna for document signing and storage are particularly at risk. The vulnerability's requirement for user interaction and high attack complexity somewhat limits mass exploitation but targeted attacks remain plausible.

Organizations using Lleidanet PKI eSigna versions 1.0 to 1.5 should immediately assess their exposure to this vulnerability. Since no official patches are currently linked, mitigation should focus on compensating controls: 1) Restrict network access to the eSignaViewer component to trusted internal networks or VPNs to reduce exposure to unauthenticated attackers. 2) Implement strict monitoring and logging of file access requests to detect anomalous or unauthorized attempts to access documents. 3) Conduct a thorough review of access control configurations and ensure that file path and object identifier inputs are sanitized and validated to prevent manipulation. 4) Educate users about the risk of interacting with suspicious links or files that could trigger exploitation. 5) Engage with Lleidanet PKI support for timelines on patches or updates addressing this vulnerability. 6) Consider deploying Web Application Firewalls (WAFs) with rules to detect and block path traversal or IDOR attack patterns targeting the eSignaViewer. 7) Perform regular security assessments and penetration tests focusing on the document management components to identify and remediate similar weaknesses.