CVE-2025-62644 is a vulnerability identified in the Restaurant Brands International assistant platform, specifically within its Global Store Directory feature. This flaw results in the exposure of private personal information to unauthorized actors who have authenticated access to the platform. The vulnerability is classified under CWE-359, which pertains to the exposure of private information to unauthorized entities. The CVSS v3.1 base score is 5.0, reflecting a medium severity level. The vector indicates that the attack can be performed remotely (AV:N) with low complexity (AC:L), requires privileges (PR:L), does not require user interaction (UI:N), and has a scope change (S:C). The impact is limited to confidentiality (C:L) without affecting integrity or availability. The vulnerability arises because the Global Store Directory shares personal information among authenticated users without sufficient access controls or segregation. This could allow an authenticated user to access personal data of other users or employees that they should not see. No patches or fixes are currently listed, and no known exploits have been reported in the wild as of the publication date. The vulnerability poses a risk of unauthorized data disclosure, potentially violating privacy regulations and exposing sensitive employee or customer information. Organizations using the RBI assistant platform should be aware of this exposure and take steps to mitigate the risk while awaiting official remediation.

For European organizations, this vulnerability could lead to unauthorized disclosure of personal information, which may include employee or customer data stored or accessible via the RBI assistant platform. This exposure risks non-compliance with the EU General Data Protection Regulation (GDPR), potentially resulting in significant fines and legal consequences. The confidentiality breach could damage organizational reputation and erode customer trust. Although the vulnerability does not affect system integrity or availability, the privacy impact alone is substantial. Given that exploitation requires authenticated access, insider threats or compromised credentials could be leveraged to exploit this vulnerability. Organizations operating franchises or stores under RBI brands in Europe may face increased scrutiny and operational risks. The lack of known exploits reduces immediate risk but does not eliminate the potential for future attacks. Continuous monitoring and access control enforcement are critical to minimizing impact.

1. Conduct a thorough audit of user roles and permissions within the RBI assistant platform to ensure least privilege principles are enforced, limiting access to the Global Store Directory only to necessary personnel. 2. Implement strict authentication mechanisms, such as multi-factor authentication (MFA), to reduce the risk of credential compromise and unauthorized access. 3. Monitor access logs and user activity for anomalous behavior indicative of unauthorized data access or lateral movement within the platform. 4. Engage with Restaurant Brands International to obtain updates on patches or official remediation timelines and apply fixes promptly once available. 5. If possible, disable or restrict access to the Global Store Directory feature until a patch is released, especially for users who do not require access. 6. Provide training and awareness to employees about the risks of credential sharing and insider threats. 7. Review and update data handling and privacy policies to ensure compliance with GDPR and other relevant regulations in light of this vulnerability. 8. Consider network segmentation or additional access controls around systems hosting the RBI assistant platform to limit exposure.