CVE-2025-54120 is a critical vulnerability identified in the PCL-Community's PCL2-CE Minecraft launcher versions 2.12.0-beta.5 through 2.12.0-beta.9. The vulnerability is classified under CWE-532, which involves the insertion of sensitive information into log files. Specifically, during the third-party login process, the launcher inadvertently records user login credentials in a local log file. This log file is stored locally on the user's machine and is not automatically transmitted or shared by the application. However, if a user manually shares this log file, either for troubleshooting or other reasons, there is a significant risk that their sensitive login credentials could be exposed to unauthorized parties. The vulnerability does not require authentication to be exploited but does require user interaction in the form of sharing the log file. The CVSS 4.0 base score is 9.3, indicating a critical severity level. The vector metrics indicate the attack vector is local (AV:L), with low attack complexity (AC:L), no privileges required (PR:N), and user interaction required (UI:A). The impact on confidentiality, integrity, and availability is high, as the leakage of credentials can lead to account compromise and potential unauthorized access to user accounts or associated services. This vulnerability was addressed and fixed in version 2.12.0-beta.10 of the PCL2-CE launcher.

For European organizations, the impact of this vulnerability is primarily on individual users who utilize the PCL2-CE Minecraft launcher, including employees or members of organizations who may use this software on corporate or personal devices. The exposure of login credentials through local logs can lead to unauthorized access to user accounts, potentially compromising personal data or linked services. While the vulnerability does not directly affect enterprise systems, compromised user credentials could be leveraged in targeted phishing or social engineering campaigns within organizations. Additionally, if users share logs containing credentials in support forums or with third parties, this could lead to broader credential leakage. The risk is heightened in environments where users have elevated privileges or where the compromised credentials are reused across multiple platforms. Given the popularity of Minecraft and related launchers in Europe, especially among younger demographics and gaming communities, there is a tangible risk of credential theft leading to account takeovers or further exploitation.

Organizations and users should immediately update the PCL2-CE launcher to version 2.12.0-beta.10 or later, where this vulnerability has been fixed. Users should be advised not to share log files generated by the launcher unless they have been sanitized to remove sensitive information. It is recommended to implement strict access controls on local log files to prevent unauthorized access. Organizations can deploy endpoint detection and response (EDR) tools to monitor for unusual access or exfiltration attempts involving log files. Additionally, users should be encouraged to use unique, strong passwords for their Minecraft accounts and enable multi-factor authentication (MFA) where available to mitigate the impact of potential credential leakage. Regular security awareness training should include guidance on the risks of sharing log files and the importance of updating software promptly. Finally, organizations should consider network segmentation and application whitelisting to limit the exposure of vulnerable software on corporate networks.