CVE-2025-57971 is a security vulnerability classified under CWE-862, which pertains to Missing Authorization. This vulnerability affects the SALESmanago & Leadoo platforms, specifically versions up to 3.8.1. The core issue arises from incorrectly configured access control security levels, allowing unauthorized users to perform actions or access resources that should be restricted. The vulnerability does not require authentication (PR:N) or user interaction (UI:N) and can be exploited remotely over the network (AV:N). The CVSS v3.1 base score is 5.3, indicating a medium severity level. The impact primarily affects the integrity of the system, as unauthorized modifications or actions could be performed, but confidentiality and availability are not directly impacted. The scope remains unchanged (S:U), meaning the vulnerability affects only the vulnerable component and does not extend to other components. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was reserved in August 2025 and published in September 2025, indicating it is a recent discovery. SALESmanago & Leadoo are marketing automation and customer engagement platforms widely used for managing customer data and interactions, making the integrity of their access controls critical to prevent unauthorized manipulation of marketing campaigns, customer segmentation, or data.

For European organizations, this vulnerability poses a significant risk to the integrity of marketing and customer engagement operations. Unauthorized access could lead to manipulation of customer data, alteration of marketing campaigns, or unauthorized changes to segmentation rules, potentially resulting in reputational damage, loss of customer trust, and regulatory compliance issues under GDPR due to improper handling of personal data. While confidentiality is not directly impacted, the integrity breach could indirectly expose sensitive business strategies or customer targeting information. The lack of required authentication and user interaction increases the risk of automated exploitation attempts. Organizations relying heavily on SALESmanago & Leadoo for customer engagement could face operational disruptions and potential financial losses if attackers exploit this vulnerability to sabotage marketing efforts or inject malicious configurations.

European organizations should immediately audit their current SALESmanago & Leadoo deployments to identify affected versions (up to 3.8.1). Until an official patch is released, organizations should implement strict network-level access controls to restrict access to the SALESmanago & Leadoo management interfaces, limiting them to trusted IP addresses and VPNs. Monitoring and logging of all access attempts should be enhanced to detect unusual or unauthorized activities promptly. Organizations should also review and tighten role-based access controls within the platform to minimize the risk of privilege escalation. Engaging with SALESmanago support for early patch availability or workarounds is recommended. Additionally, organizations should conduct internal penetration testing focusing on access control mechanisms to identify and remediate any other potential authorization weaknesses. Finally, staff training on recognizing suspicious activity related to marketing platforms can help in early detection of exploitation attempts.