CVE-2025-48138 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the BERTHA AI product developed by berthaai, up to version 1.12.11. This vulnerability arises due to incorrectly configured access control security levels, which results in missing authorization checks. Specifically, the flaw allows an attacker with some level of privileges (PR:L - Privileges Required: Low) to exploit the system remotely (AV:N - Attack Vector: Network) without requiring user interaction (UI:N). The vulnerability does not impact confidentiality or integrity but affects availability (A:L), meaning an attacker could potentially disrupt service or cause denial of service conditions. The CVSS 3.1 base score is 4.3, indicating a medium severity level. The vulnerability is publicly disclosed as of May 16, 2025, but there are no known exploits in the wild yet, and no patches have been linked or released at this time. The issue is critical from an access control perspective because missing authorization checks can allow unauthorized actions or resource access, potentially leading to service disruption or unauthorized system behavior. Since BERTHA AI is an AI-driven product, the impact could extend to AI service availability or reliability, affecting dependent workflows or applications.

For European organizations, the impact of this vulnerability could be significant depending on their reliance on BERTHA AI for critical AI services or business processes. The availability impact means that attackers could cause service interruptions, potentially disrupting operations that depend on AI-driven automation, content generation, or decision support. Organizations in sectors such as finance, healthcare, manufacturing, and public services that integrate BERTHA AI into their workflows might experience operational delays or degraded service quality. Additionally, missing authorization could be leveraged as a stepping stone for further attacks if combined with other vulnerabilities or misconfigurations. Although the confidentiality and integrity are not directly affected, the availability impact alone can lead to financial losses, reputational damage, and compliance challenges, especially under strict European data protection and operational resilience regulations. The lack of patches currently increases the risk window, and organizations must be vigilant in monitoring and mitigating potential exploitation attempts.

Given the absence of an official patch, European organizations should implement compensating controls immediately. These include: 1) Restricting network access to BERTHA AI management interfaces and APIs using firewalls or network segmentation to limit exposure to trusted internal users only; 2) Enforcing strict role-based access control (RBAC) and reviewing user privileges to ensure minimal necessary access, reducing the risk from low-privilege accounts; 3) Monitoring and logging all access attempts and unusual activities related to BERTHA AI to detect potential exploitation attempts early; 4) Applying Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) with custom rules to detect and block suspicious access patterns targeting authorization flaws; 5) Engaging with the vendor for timely updates and patches, and preparing for rapid deployment once available; 6) Conducting internal security assessments and penetration tests focusing on access control mechanisms of BERTHA AI deployments; 7) Educating administrators and users about the risks of missing authorization vulnerabilities and enforcing strict operational security policies.