CVE-2025-62781 is a vulnerability classified under CWE-613 (Insufficient Session Expiration) affecting THM-Health's PILOS platform, a frontend interface for BigBlueButton used for live online seminars. In versions prior to 4.8.0, when a user with a local account changes their password while logged in, the system correctly terminates all other active sessions except the current one. However, the session token associated with the current session is not refreshed or invalidated. This means that if an attacker has previously acquired the current session token through another vulnerability or attack vector, they can continue to use it to impersonate the user even after the password change. This undermines the security benefit of password changes, which typically aim to revoke unauthorized access. The vulnerability arises from improper session management where the system fails to enforce token invalidation upon credential updates. The CVSS v3.1 score of 5.0 indicates a medium severity, with the attack vector being network-based but requiring high attack complexity and low privileges. No user interaction is needed for exploitation once the token is obtained. The vulnerability does not have known exploits in the wild as of the publication date. The fix implemented in version 4.8.0 ensures that the current session token is refreshed or invalidated upon password change, closing the window for continued unauthorized access. This vulnerability highlights the importance of robust session lifecycle management in web applications, especially those handling sensitive communications and user data.

For European organizations, especially those in education, healthcare, and public administration sectors that rely on PILOS or BigBlueButton for remote seminars and collaboration, this vulnerability poses a risk to user confidentiality and session integrity. An attacker who has previously compromised a session token can maintain persistent access even after a password reset, potentially leading to unauthorized data access, impersonation, and disruption of services. This undermines trust in the platform's security and could lead to data breaches involving personal or sensitive information. The impact is compounded in environments where session tokens might be exposed due to other vulnerabilities or weak network protections. Although the vulnerability does not directly affect availability, the potential for unauthorized actions could indirectly disrupt operations. Given the medium CVSS score, the threat is moderate but significant enough to warrant prompt remediation to prevent escalation or chaining with other vulnerabilities. The lack of known exploits suggests limited immediate risk but does not preclude future exploitation attempts.

The primary mitigation is to upgrade PILOS to version 4.8.0 or later, where the session token invalidation issue upon password change is resolved. Organizations should implement strict session management policies that enforce token refresh or invalidation on critical account changes such as password resets. Additionally, deploying multi-factor authentication (MFA) can reduce the risk of session token compromise leading to unauthorized access. Monitoring and logging session activities to detect anomalies or concurrent sessions can help identify potential misuse. Network-level protections such as encrypted communications (TLS) and secure cookie attributes (HttpOnly, Secure, SameSite) should be enforced to reduce token interception risks. Educating users about secure session practices and promptly applying patches for related vulnerabilities is essential. Finally, conducting regular security assessments and penetration tests focusing on session management can help identify and remediate similar issues proactively.