CVE-2025-48475 is an authorization vulnerability identified in FreeScout, a free self-hosted help desk and shared mailbox system. The issue affects versions prior to 1.8.180. The core problem lies in the system's failure to properly enforce access control checks on which clients an authorized user can view and edit. Specifically, even users who are authorized but do not have explicit access to any mailboxes or conversations can still view and modify client information. This occurs because the setting limit_user_customer_visibility, which is intended to restrict client visibility, is not checked in certain scenarios, allowing unauthorized access to client data. This vulnerability is classified under CWE-863 (Incorrect Authorization), indicating that the system does not correctly enforce permissions. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting a medium severity level. The vector indicates that the attack can be performed remotely over the network without user interaction, requires low privileges (an authorized user), and results in limited confidentiality and integrity impact but no availability impact. The issue was patched in FreeScout version 1.8.180. No known exploits are currently reported in the wild. The vulnerability could allow unauthorized users within an organization to access and modify client data they should not have access to, potentially leading to data leakage, unauthorized data manipulation, and undermining trust in the help desk system's integrity.

For European organizations using FreeScout versions prior to 1.8.180, this vulnerability poses a risk of unauthorized internal data exposure and modification. Since FreeScout is often used to manage customer support tickets and communications, unauthorized access to client data could lead to breaches of personal data protected under GDPR, resulting in legal and regulatory consequences. The ability for an authorized user with limited privileges to escalate their access to client information could also facilitate insider threats or lateral movement within the organization. This could undermine customer trust and damage the organization's reputation. Additionally, unauthorized edits to client records could disrupt support workflows, cause misinformation, and impact service quality. The medium severity rating suggests that while the vulnerability is not critical, it still represents a significant risk that should be addressed promptly to maintain compliance and operational integrity.

European organizations should immediately verify their FreeScout deployment version and upgrade to version 1.8.180 or later where the vulnerability is patched. If upgrading is not immediately feasible, organizations should implement strict access controls and audit logging to monitor user activities related to client data. Specifically, review and enforce the limit_user_customer_visibility setting to ensure it is properly configured and effective. Conduct internal access reviews to limit the number of users with authorized access to FreeScout and restrict permissions to the minimum necessary. Additionally, implement network segmentation and role-based access controls (RBAC) to reduce the risk of unauthorized access. Regularly audit logs for unusual access patterns or modifications to client data. Finally, provide training to administrators and users on the importance of access controls and monitoring to prevent exploitation of this vulnerability.