CVE-2025-52289 is a Broken Access Control vulnerability identified in MagnusBilling version 7.8.5.3. MagnusBilling is a billing and customer management platform often used by telecom and VoIP service providers. The vulnerability allows newly registered users to escalate their privileges by exploiting an access control flaw in the user account activation process. Specifically, attackers can send a crafted HTTP request to the endpoint /mbilling/index.php/user/save to change their account status from "pending" to "active" without requiring administrator approval. This bypasses the intended workflow where new accounts must be manually approved or activated by an administrator, effectively allowing unauthorized users to gain immediate active status and potentially access services or features reserved for approved users. The vulnerability arises due to insufficient validation and enforcement of user permissions on the server side, permitting unauthorized state changes via direct requests. No CVSS score has been assigned yet, and no public exploits have been reported in the wild as of the publication date (July 31, 2025). However, the flaw represents a significant security risk because it undermines the core access control mechanism of the application, potentially enabling unauthorized access, fraud, or abuse of billing services.

For European organizations using MagnusBilling, particularly telecom operators, ISPs, or service providers managing customer accounts and billing, this vulnerability could have serious consequences. Unauthorized users gaining active account status could lead to fraudulent use of services, revenue loss, and erosion of customer trust. Attackers might exploit this to bypass subscription controls, access premium services without payment, or manipulate billing records. Additionally, unauthorized active accounts could be leveraged as footholds for further attacks within the network, including data exfiltration or lateral movement. The breach of access control also raises compliance concerns under regulations such as GDPR, as unauthorized access to customer data or billing information could constitute a data breach. The lack of administrator oversight in account activation increases the risk of automated abuse and large-scale fraud campaigns. Although no exploits are currently known in the wild, the simplicity of the attack vector (a crafted HTTP request) suggests that exploitation could be straightforward once the vulnerability is publicly known.

To mitigate this vulnerability, European organizations should immediately implement strict server-side validation to enforce proper access control on the /mbilling/index.php/user/save endpoint. Specifically, the application must verify that only authorized administrators can change user account statuses from "pending" to "active." Organizations should audit and restrict API endpoints to ensure that privilege escalation via crafted requests is impossible. Applying any available patches or updates from MagnusBilling vendors should be prioritized once released. In the absence of official patches, organizations can implement web application firewall (WAF) rules to detect and block suspicious requests attempting to modify account statuses. Additionally, monitoring and alerting on unusual account activation patterns can help detect exploitation attempts. Organizations should also review user registration workflows to add multi-factor verification or manual approval steps as an interim control. Finally, conducting a thorough security assessment of MagnusBilling deployments and isolating billing systems from broader networks can reduce potential attack surfaces.