CVE-2025-63800 is a vulnerability identified in Open Source Point of Sale (POS) version 3.4.1, where the password change functionality lacks proper server-side validation for the password fields. Specifically, when an authenticated user submits a password change request with empty 'password' and 'repeat_password' parameters, the backend erroneously accepts this input and sets the account password to an empty string. This behavior effectively disables the authentication mechanism for the affected account, allowing anyone to log in without a password. The vulnerability stems from CWE-521, which relates to the use of weak or empty passwords. The CVSS v3.1 base score is 7.5, indicating a high-severity issue with network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high confidentiality impact (C:H) but no impact on integrity (I:N) or availability (A:N). This means an attacker can remotely exploit the vulnerability without authentication or user interaction to gain unauthorized access to user or administrative accounts, compromising sensitive data confidentiality. Although no exploits have been reported in the wild, the vulnerability presents a significant risk to organizations relying on this POS software. The lack of patch links suggests that a fix may not yet be available, emphasizing the need for immediate mitigation steps.

For European organizations, especially those in retail, hospitality, and other sectors using Open Source POS 3.4.1, this vulnerability poses a critical risk to account security. Attackers can bypass authentication controls by setting empty passwords, potentially gaining unauthorized access to sensitive customer data, transaction records, and administrative functions. This could lead to data breaches, fraud, and operational disruptions. The confidentiality of user and administrative accounts is severely compromised, increasing the risk of insider threats or external attackers manipulating POS systems. Given the widespread use of open-source POS solutions in European small and medium enterprises, the impact could be broad. Additionally, regulatory frameworks such as GDPR impose strict data protection requirements, and exploitation of this vulnerability could lead to compliance violations and financial penalties. The absence of integrity or availability impact limits the scope to unauthorized access and data confidentiality breaches, but these are critical in payment and customer data contexts.

Organizations should immediately audit their Open Source POS deployments to identify affected versions, specifically version 3.4.1. Until an official patch is released, implement strict server-side validation to reject password change requests where the 'password' or 'repeat_password' fields are empty or do not meet complexity requirements. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious password change requests. Enforce multi-factor authentication (MFA) for administrative accounts to reduce the risk of unauthorized access. Conduct regular account audits to detect accounts with empty or weak passwords and reset them proactively. Educate users and administrators about the risk and encourage prompt reporting of suspicious account behavior. Monitor logs for anomalous password change activities. Plan for rapid deployment of official patches once available and test updates in controlled environments before production rollout. Lastly, review and enhance overall password policies and authentication mechanisms within the POS environment.