CVE-2025-62644 is a vulnerability classified under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) affecting the Restaurant Brands International (RBI) assistant platform. The issue resides in the Global Store Directory component, which improperly shares personal information among authenticated users without adequate access controls. This means that users with some level of authentication can access personal data of others that they should not be authorized to view. The vulnerability has a CVSS v3.1 base score of 5.0, indicating medium severity. The vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N shows that the attack can be performed remotely over the network (AV:N) with low attack complexity (AC:L), requires privileges (PR:L) but no user interaction (UI:N). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact is limited to confidentiality (C:L), with no impact on integrity or availability. No public exploits or patches are currently available, and the vulnerability was published on 2025-10-17. The exposure of personal information could include employee or customer data stored in the Global Store Directory, raising privacy and compliance concerns. Organizations using the RBI assistant platform should be aware of the risk of unauthorized data disclosure among authenticated users and prepare to apply vendor patches when released.

For European organizations, the exposure of private personal information through the RBI assistant platform's Global Store Directory can lead to privacy violations and potential non-compliance with GDPR regulations, which impose strict requirements on personal data protection. Although the vulnerability does not affect system integrity or availability, unauthorized access to personal data can result in reputational damage, loss of customer trust, and possible regulatory fines. Since the vulnerability requires authenticated access with some privileges, insider threats or compromised credentials could be leveraged to exploit this flaw. Organizations operating RBI franchises or using the assistant platform for store management or employee coordination are at risk of internal data leakage. The medium severity rating reflects the limited but meaningful confidentiality impact. The absence of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent potential abuse. Additionally, the cross-scope nature means that the exposure could affect multiple components or services integrated with the assistant platform, increasing the breadth of impact.

To mitigate CVE-2025-62644, European organizations should implement strict access control policies limiting the visibility of personal information within the Global Store Directory only to users with a legitimate need. Conduct a thorough audit of user privileges and remove unnecessary access rights to reduce the attack surface. Monitor authentication logs and user activity for unusual access patterns that could indicate exploitation attempts. Employ network segmentation to isolate the assistant platform and restrict access to trusted users and devices. Since no patches are currently available, consider temporary compensating controls such as disabling or restricting the Global Store Directory feature if feasible. Engage with Restaurant Brands International to obtain updates on patch releases and apply them promptly once available. Additionally, provide security awareness training to employees about the risks of credential compromise and insider threats. Finally, review data minimization practices to ensure only essential personal information is stored and shared within the platform.