CVE-2025-63248 is an Incorrect Access Control vulnerability identified in DWSurvey version 6.14.0. The flaw arises when the application fails to properly verify the ownership or authorization of a questionnaire before processing a delete request. Specifically, when a user attempts to delete a questionnaire, the system accepts a questionnaire ID parameter. By replacing this ID with that of another questionnaire, an attacker can delete questionnaires they do not own or have permission to modify. This vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key). The attack vector is network-based, requiring no authentication or user interaction, making it highly accessible for remote exploitation. The CVSS 3.1 base score is 7.5, reflecting a high severity due to the ease of exploitation and the impact on data integrity. Although confidentiality and availability are not directly affected, the unauthorized deletion of questionnaires compromises the integrity of survey data, potentially disrupting business processes relying on accurate survey results. No patches or mitigations have been officially released at the time of publication, and no known exploits have been observed in the wild. Organizations using DWSurvey should urgently assess their exposure and implement compensating controls.

The primary impact of CVE-2025-63248 is on data integrity, as unauthorized deletion of questionnaires can lead to loss of critical survey data. For European organizations, this can disrupt decision-making processes, compliance reporting, and customer feedback mechanisms that rely on survey data. In sectors such as market research, healthcare, public administration, and education, where surveys are integral, this could result in operational setbacks and reputational damage. Although the vulnerability does not compromise confidentiality or availability, the ability to manipulate or erase data without authorization undermines trust in the system and may lead to regulatory scrutiny under data governance laws like GDPR if data loss affects personal data processing. The lack of required authentication and user interaction increases the risk of widespread exploitation, especially in environments where DWSurvey is exposed to the internet or insufficiently segmented networks.

1. Immediately implement strict server-side authorization checks to verify that the user requesting questionnaire deletion owns or is authorized to delete the specified questionnaire ID. 2. Employ parameter validation and enforce access control policies that bind questionnaire IDs to user sessions or roles. 3. Monitor and log all deletion requests with detailed metadata to detect anomalous or unauthorized deletion patterns. 4. Restrict network exposure of DWSurvey management interfaces to trusted internal networks or VPNs to reduce attack surface. 5. If possible, disable questionnaire deletion functionality temporarily until a vendor patch is available. 6. Engage with the DWSurvey vendor or community to obtain or request a security patch addressing this vulnerability. 7. Conduct regular security audits and penetration tests focusing on access control mechanisms within the application. 8. Educate administrators and users about the risks of unauthorized data manipulation and encourage prompt reporting of suspicious activity.