CVE-2025-62376 is an improper authentication vulnerability classified under CWE-287 found in the pwn.college DOJO platform, specifically affecting versions up to commit 781d91157cfc234a434d0bab45cbcf97894c642e. The vulnerability resides in the /workspace endpoint's view_desktop function, which retrieves the user identifier from a URL parameter without verifying if the requester has administrative privileges or validating the supplied password. This design flaw allows an attacker to supply arbitrary user IDs and passwords to impersonate any user with an active Windows VM session. The function generates an iframe source URL granting full access to the targeted Windows VM without proper authentication checks. Consequently, an attacker can gain unauthorized access to the Windows desktop environment and modify data both on the Windows VM and the associated Linux home directory accessible via the Z: drive. The vulnerability impacts confidentiality, integrity, and availability of user environments. The issue was patched in commit 467db0b9ea0d9a929dc89b41f6eb59f7cfc68bef, but no alternative mitigations or workarounds are known. The CVSS 4.0 score of 9.5 reflects the vulnerability’s critical nature, with network attack vector, low attack complexity, no user interaction, and high impact on confidentiality, integrity, and availability. Although no exploits are currently known in the wild, the ease of exploitation and severity make this a high-risk vulnerability for organizations using the affected platform.

For European organizations using pwn.college DOJO, particularly educational institutions and cybersecurity training centers, this vulnerability poses a significant risk. Attackers could gain unauthorized access to Windows VMs used for training or testing, leading to potential data theft, manipulation, or destruction. Since the vulnerability also allows access to the Linux home directories via the Z: drive, attackers could compromise sensitive user data beyond the Windows environment. This could result in exposure of personal data, intellectual property, or training materials, potentially violating GDPR and other data protection regulations. The ability to fully control virtual machines could also allow attackers to pivot into other network segments if these VMs are connected to broader organizational infrastructure. The critical severity and ease of exploitation mean that unpatched systems are highly vulnerable to compromise, which could disrupt training operations and damage organizational reputation.

The primary mitigation is to immediately update pwn.college DOJO to the patched version including commit 467db0b9ea0d9a929dc89b41f6eb59f7cfc68bef or later. Since no workarounds exist, organizations should prioritize patch deployment. Additionally, restrict network access to the /workspace endpoint to trusted users and networks where possible, using network segmentation and firewall rules. Implement monitoring and logging of access to the /workspace endpoint to detect anomalous or unauthorized access attempts. Enforce strong access controls and multi-factor authentication on the platform to reduce risk of credential misuse. Educate users about the importance of reporting suspicious activity. For organizations with sensitive data on these VMs, consider isolating or temporarily disabling Windows VM access until the patch is applied. Conduct a post-patch audit to verify that unauthorized access has not occurred.