CVE-2025-47938 is a vulnerability identified in TYPO3, an open-source PHP-based web content management system widely used for building and managing websites. The flaw exists in the backend user management interface of TYPO3 versions starting from 9.0.0 up to but not including the patched versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS. The vulnerability arises because the system allows backend administrators to change passwords for their own accounts or other user accounts without requiring verification of the current password. This lack of verification means that if an attacker gains access to an administrator's session—either through session hijacking, theft, or if the session is left unattended—they can change passwords without needing to know the original credentials. This behavior weakens the security posture by removing an important authentication step that would otherwise prevent unauthorized password changes. The vulnerability is classified under CWE-620 (Unverified Password Change), indicating a failure to verify the current password before allowing a password update. The CVSS v3.1 base score is 3.8, reflecting a low severity primarily due to the requirement of high privileges (administrator access) and no user interaction needed. There are no known exploits in the wild at this time. The issue is resolved by upgrading TYPO3 to the fixed versions mentioned above, which enforce current password verification during password changes in the backend interface.

For European organizations using TYPO3 as their content management system, this vulnerability poses a risk primarily to the confidentiality and integrity of administrative accounts. If an attacker can hijack or gain access to an administrator's session, they can change passwords without additional authentication, potentially locking out legitimate administrators and gaining persistent control over the CMS backend. This could lead to unauthorized content modifications, data breaches, or the deployment of malicious code via the CMS. While the vulnerability does not directly affect availability, the compromise of administrative accounts can indirectly disrupt website operations. Given TYPO3's popularity in Europe, especially among public sector, educational institutions, and medium to large enterprises, the risk is non-negligible. The low CVSS score reflects the prerequisite of already having administrator-level access or session control, so the vulnerability is an escalation vector rather than an initial entry point. However, in environments where session management is weak or physical access to terminals is possible, the risk increases. The absence of known exploits suggests limited active exploitation, but the vulnerability should be addressed promptly to prevent future attacks.

1. Immediate upgrade of TYPO3 installations to the patched versions: 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS. 2. Implement strict session management controls, including automatic session timeouts, IP binding, and multi-factor authentication (MFA) for administrator accounts to reduce the risk of session hijacking. 3. Enforce physical security and workstation locking policies to prevent unattended sessions from being exploited. 4. Monitor administrative account activities and implement anomaly detection to identify unauthorized password changes or unusual backend access patterns. 5. Conduct regular security awareness training for administrators emphasizing the importance of logging out and securing sessions. 6. Consider additional custom patches or plugins that enforce current password verification if upgrading TYPO3 is not immediately feasible. 7. Review and harden overall access controls to the TYPO3 backend, including network segmentation and VPN usage for administrative access.