CVE-2025-62362 is an information disclosure vulnerability classified under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) affecting the GPP-burgerportaal application, a citizen portal used by the Dutch government. The flaw exists in versions before 2.0.3, 3.0.2, and 4.0.1, where employee names and email addresses who publish content are inadvertently included in network responses. These responses are accessible through standard browser developer tools, such as the network tab, without requiring authentication or user interaction. The exposure arises from insufficient filtering or sanitization of response data, leading to leakage of private personal information. This can enable attackers to harvest employee contact details for targeted phishing, spear-phishing, or social engineering campaigns, potentially compromising internal systems or eroding trust in government digital services. The vulnerability has a CVSS 4.0 base score of 6.9, reflecting its medium severity due to network exploitability and lack of authentication requirements, but limited impact on confidentiality scope and no direct impact on integrity or availability. The issue has been addressed in versions 2.0.3, 3.0.2, and 4.0.1 by removing or securing the exposed data in network responses. No known exploits have been reported in the wild, and no workarounds are available, making patching the sole effective mitigation.

For European organizations, particularly Dutch government entities using GPP-burgerportaal, this vulnerability poses a privacy risk by exposing employee personal information. Such exposure can lead to targeted phishing or social engineering attacks against employees, increasing the likelihood of credential theft, unauthorized access, or further compromise of government systems. The reputational damage from privacy violations can erode citizen trust in digital government services. While the direct impact on system integrity and availability is low, the indirect consequences through social engineering could be significant. Other European countries are less likely to be affected unless they deploy this specific portal. However, the incident underscores the importance of securing personal data in government digital services across Europe, aligning with GDPR requirements. Failure to patch may also lead to regulatory scrutiny and potential fines related to data protection laws.

The primary mitigation is to upgrade GPP-burgerportaal to versions 2.0.3, 3.0.2, or 4.0.1 or later, where the vulnerability is patched. Organizations should verify their current version and apply updates promptly. In the absence of workarounds, patching is critical. Additionally, administrators should audit network traffic and logs for unusual access patterns that might indicate reconnaissance attempts. Implement strict access controls and monitoring on the portal infrastructure to detect and prevent unauthorized data harvesting. Employee awareness training on phishing and social engineering risks should be enhanced, given the increased risk from exposed contact information. Finally, review and minimize the amount of personal information included in network responses and logs as a best practice to reduce attack surface.