CVE-2025-48476 is a high-severity vulnerability affecting FreeScout, a free, self-hosted help desk and shared mailbox application. The flaw exists in versions prior to 1.8.180 and is classified under CWE-841, which pertains to improper enforcement of behavioral workflow. Specifically, the vulnerability arises from the use of the fill() method when adding or editing user records. This method fails to verify the absence of the password field in user-supplied data, leading to a mass-assignment vulnerability. Consequently, any user with permission to edit other users' profiles can manipulate the password field to reset another user's password without proper authorization. This enables the attacker to log in as the targeted user, potentially gaining unauthorized access to sensitive help desk data and functionalities. The vulnerability does not require user interaction and can be exploited remotely over the network with low attack complexity, given the attacker already has limited privileges (permission to edit users). The issue has been addressed and patched in FreeScout version 1.8.180. The CVSS 4.0 base score is 7.1, reflecting a high severity due to network attack vector, no user interaction, and the ability to compromise confidentiality and integrity with low privileges.

For European organizations using FreeScout as their help desk or shared mailbox solution, this vulnerability poses a significant risk. Exploitation allows an attacker with limited user privileges to escalate their access by changing other users' passwords, potentially including administrative accounts. This can lead to unauthorized access to sensitive customer support data, internal communications, and operational workflows. The compromise of help desk systems can facilitate further lateral movement within the organization, data exfiltration, or disruption of customer support services. Given the critical role help desk platforms play in managing incident response and customer interactions, such an attack can degrade organizational trust and operational continuity. Additionally, unauthorized access to user accounts may violate GDPR requirements concerning data protection and access controls, exposing organizations to regulatory penalties and reputational damage.

European organizations should immediately verify their FreeScout version and upgrade to version 1.8.180 or later, where the vulnerability is patched. Until the upgrade is applied, restrict user permissions to the minimum necessary, specifically limiting the ability to edit other users' profiles to trusted administrators only. Implement monitoring and alerting on user account modifications, especially password changes initiated by other users, to detect potential exploitation attempts. Employ multi-factor authentication (MFA) for all user accounts to reduce the impact of compromised credentials. Conduct regular audits of user permissions and access logs to identify anomalous activities. Additionally, consider network segmentation to isolate the FreeScout server from broader internal networks, limiting potential lateral movement if compromised. Finally, educate administrators and users about the risks of privilege misuse and enforce strict change management policies for user account modifications.