CVE-2025-60094 is a medium-severity vulnerability classified under CWE-862 (Missing Authorization) affecting the Benjamin Intal Stackable product up to version 3.18.1. This vulnerability arises due to incorrectly configured access control security levels, allowing an attacker with limited privileges (PR:L - privileges required: low) to perform unauthorized actions that impact the integrity of the system. The vulnerability does not require user interaction (UI:N) and can be exploited remotely over the network (AV:N). The scope remains unchanged (S:U), meaning the exploit affects resources within the same security scope. The CVSS v3.1 base score is 4.3, reflecting a moderate risk primarily due to the potential for integrity loss without affecting confidentiality or availability. The lack of authentication bypass or privilege escalation to high-level privileges limits the severity, but the missing authorization check can still allow attackers to manipulate or alter data or system configurations they should not have access to. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that mitigation may require vendor updates or configuration changes once available. The vulnerability impacts all deployments of Stackable up to version 3.18.1, but the exact affected versions are not fully enumerated (noted as 'n/a').

For European organizations using Benjamin Intal Stackable, this vulnerability poses a risk to data integrity and system trustworthiness. Attackers with low-level privileges could exploit the missing authorization to modify configurations or data, potentially leading to unauthorized changes that disrupt business processes or compromise data accuracy. While confidentiality and availability are not directly impacted, integrity violations can have cascading effects, such as incorrect data processing, compliance violations, or enabling further attacks. Organizations in sectors with strict regulatory requirements (e.g., finance, healthcare, critical infrastructure) may face increased risk due to the potential for unauthorized data manipulation. The remote exploitability without user interaction increases the threat surface, especially for internet-facing deployments or internal systems accessible by multiple users. The absence of known exploits suggests a window for proactive mitigation before active exploitation occurs.

European organizations should immediately review and audit access control configurations within Stackable deployments to ensure that authorization checks are correctly enforced according to the principle of least privilege. Until an official patch is released, administrators should restrict network exposure of Stackable services, especially limiting access to trusted internal networks and enforcing strict authentication and authorization policies. Implementing enhanced monitoring and logging for access control violations or unusual privilege use can help detect attempted exploitation. Organizations should engage with Benjamin Intal for timely updates and apply patches promptly once available. Additionally, conducting internal penetration testing focusing on access control mechanisms can identify potential misconfigurations. Where possible, segmenting the Stackable environment and applying network-level controls (e.g., firewalls, VPNs) can reduce the risk of remote exploitation.