CVE-2025-63800 is a security vulnerability identified in Open Source Point of Sale (POS) version 3.4.1. The issue arises from the password change endpoint, which does not perform adequate server-side validation on the 'password' and 'repeat_password' parameters during a password update request. When an authenticated user submits a password change request with these parameters empty or omitted, the backend erroneously accepts the request, sets the account password to an empty string, and returns a successful response. This behavior effectively disables the authentication mechanism for the affected account, as an empty password may allow bypassing normal login procedures or facilitate unauthorized access. The vulnerability requires the attacker to be authenticated, meaning they must have legitimate access to the account initially, but no further user interaction or elevated privileges are necessary to exploit it. Although no known exploits are reported in the wild, the flaw poses a significant risk because it compromises account security and could be leveraged for privilege escalation or lateral movement within the POS environment. The vulnerability impacts the confidentiality and integrity of user accounts and could lead to unauthorized access to sensitive retail or transactional data. The lack of a CVSS score necessitates an assessment based on the nature of the flaw, which indicates a high severity due to the critical impact on authentication and potential for misuse. The vulnerability is particularly relevant to organizations relying on Open Source POS 3.4.1, commonly used in retail and hospitality sectors, where compromised accounts could disrupt operations and lead to data breaches.

For European organizations, especially those in retail, hospitality, and other sectors using Open Source POS 3.4.1, this vulnerability presents a significant risk. Exploitation can lead to unauthorized access to user and administrative accounts, potentially allowing attackers to manipulate sales data, access sensitive customer information, or disrupt business operations. The ability to set an empty password undermines authentication controls, increasing the likelihood of account takeover and privilege escalation. This could result in financial losses, reputational damage, and regulatory compliance issues under GDPR due to unauthorized data access. The operational disruption in point-of-sale systems can also affect customer trust and business continuity. Given the widespread use of POS systems in European retail markets, the vulnerability could have a broad impact if not promptly addressed.

Organizations should immediately audit their Open Source POS deployments to identify affected versions and accounts with empty or weak passwords. Implement strict server-side validation to reject password change requests where the 'password' or 'repeat_password' fields are empty or do not meet complexity requirements. Until an official patch is released, consider disabling the password change functionality or restricting it to trusted administrators. Enforce multi-factor authentication (MFA) for all administrative and sensitive user accounts to reduce the risk of unauthorized access. Regularly monitor logs for unusual password change activities and conduct security awareness training for users about secure password practices. Additionally, maintain up-to-date backups and have an incident response plan ready to address potential breaches stemming from this vulnerability.