CVE-2025-58009 is a security vulnerability classified under CWE-862 (Missing Authorization) affecting the codepeople CP Multi View Event Calendar product, up to version 1.4.32. This vulnerability arises due to improperly configured access control security levels, allowing an attacker with certain privileges to bypass authorization checks. Specifically, the flaw permits exploitation of incorrectly enforced access controls, potentially enabling unauthorized actions that should be restricted. The CVSS 3.1 base score is 3.8, indicating a low severity level. The vector details (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L) reveal that the attack can be performed remotely over the network with low attack complexity, but requires the attacker to have high privileges (PR:H) and does not require user interaction. The impact affects integrity and availability, with no confidentiality loss. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability is significant in environments where the CP Multi View Event Calendar is deployed and where users with elevated privileges might be tricked or maliciously act to exploit missing authorization controls, potentially leading to unauthorized modifications or disruptions in calendar data or functionality.

For European organizations using the CP Multi View Event Calendar, this vulnerability could lead to unauthorized modifications or disruptions in event scheduling and calendar data integrity. Although the severity is low, the requirement for high privileges means that insider threats or compromised privileged accounts could exploit this flaw to alter calendar events or availability, potentially disrupting business operations, internal communications, or event management workflows. In sectors relying heavily on accurate scheduling such as healthcare, transportation, or government agencies, even limited integrity or availability impacts could cause operational inefficiencies or reputational damage. Since the vulnerability does not affect confidentiality, direct data breaches are unlikely, but the integrity and availability issues could indirectly affect compliance with regulations like GDPR if operational disruptions lead to data processing failures or service outages.

Organizations should immediately review and tighten access control configurations within the CP Multi View Event Calendar, ensuring that authorization checks are correctly implemented and enforced for all privileged operations. Restrict administrative or high-privilege access to trusted personnel only, and monitor privileged account activities for suspicious behavior. Implement role-based access control (RBAC) policies to minimize privilege exposure. Since no official patches are currently available, consider isolating or limiting network exposure of the calendar system to reduce remote attack vectors. Regularly audit the calendar application logs for unauthorized changes or access attempts. Additionally, maintain up-to-date backups of calendar data to enable recovery in case of integrity or availability compromise. Engage with the vendor for timely patch releases and apply updates as soon as they become available.