CVE-2025-57997 is a Missing Authorization vulnerability (CWE-862) identified in the Trustpilot Reviews product, affecting versions up to 2.5.925. This vulnerability arises from incorrectly configured access control security levels, allowing an attacker with limited privileges (PR:L - privileges required: low) to exploit the system without requiring user interaction (UI:N). The vulnerability is remotely exploitable over the network (AV:N) and impacts confidentiality (C:L) but does not affect integrity or availability. Missing authorization means that certain functions or data within the Trustpilot Reviews platform are accessible without proper permission checks, potentially exposing sensitive information or allowing unauthorized access to review data. The CVSS v3.1 base score is 4.3, indicating a medium severity level. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on September 22, 2025, and was reserved a month earlier. Given Trustpilot's role as a widely used online review platform, this vulnerability could allow attackers to access or scrape review data or other sensitive information that should be restricted, potentially undermining user privacy and trust in the platform.

For European organizations, the impact of this vulnerability depends largely on their reliance on Trustpilot Reviews for customer feedback and reputation management. Organizations using Trustpilot Reviews may face unauthorized disclosure of sensitive review data or internal metrics if attackers exploit this missing authorization flaw. This could lead to reputational damage, loss of customer trust, and potential regulatory scrutiny under GDPR if personal data is exposed. Additionally, attackers might leverage the vulnerability to gather intelligence on competitors or manipulate review-related data indirectly. While the vulnerability does not allow modification or deletion of data (no integrity impact), the confidentiality breach alone can be significant, especially for businesses in regulated sectors or those with high public visibility. The medium severity score reflects a moderate risk, but the ease of exploitation (low privileges, no user interaction) means that attackers with minimal access could leverage this flaw, increasing the threat level for organizations heavily integrated with Trustpilot services.

Since no official patches are currently linked, European organizations should implement compensating controls immediately. These include: 1) Restricting access to Trustpilot Reviews administrative or sensitive interfaces to trusted IP ranges or VPNs to limit exposure. 2) Monitoring and auditing access logs for unusual or unauthorized access patterns to detect exploitation attempts early. 3) Reviewing and tightening internal access control policies within Trustpilot integrations to ensure least privilege principles are enforced. 4) Engaging with Trustpilot support or vendor channels to obtain timelines for official patches and applying them promptly once available. 5) Educating staff about the risks of unauthorized data exposure and ensuring that API keys or credentials used with Trustpilot are securely managed and rotated regularly. 6) Considering temporary suspension or limitation of Trustpilot integration features that expose sensitive data until the vulnerability is remediated. These targeted actions go beyond generic advice by focusing on access restrictions, monitoring, and vendor engagement specific to this vulnerability context.