CVE-2025-64061 identifies a critical security vulnerability in Primakon Pi Portal version 1.0.18, specifically affecting the /api/v2/users REST API endpoint. The vulnerability arises from deficient access control mechanisms that fail to restrict data access based on user privilege levels. As a result, any authenticated user—regardless of their assigned role or privilege—can issue a GET request to this endpoint and receive an unfiltered list of all registered users within the application. The response includes sensitive information such as password hashes, which, if obtained by malicious actors, could be subjected to offline cracking attempts to recover plaintext credentials. This exposure significantly undermines the confidentiality and integrity of user authentication data. The vulnerability does not require elevated privileges beyond basic authentication, nor does it require user interaction beyond sending the API request, making exploitation straightforward for insiders or compromised accounts. Although no public exploits or patches are currently known, the risk remains high due to the sensitive nature of the data exposed and the potential for subsequent attacks leveraging compromised credentials. The vulnerability was reserved on October 27, 2025, and published on November 25, 2025, but lacks a CVSS score, indicating that further assessment or vendor response may be pending. Organizations using Primakon Pi Portal should prioritize identifying affected instances, auditing user access, and implementing compensating controls to mitigate the risk until an official patch is released.

The exposure of password hashes and full user lists can lead to severe consequences for European organizations using Primakon Pi Portal. Attackers gaining access to password hashes can perform offline brute-force or dictionary attacks to recover user credentials, potentially escalating privileges or moving laterally within networks. This compromises confidentiality and integrity of user accounts and may lead to unauthorized access to sensitive systems or data. The vulnerability also increases the risk of insider threats, as low-privileged users can harvest credentials without detection. For organizations in regulated sectors such as finance, healthcare, or critical infrastructure, this could result in compliance violations, reputational damage, and financial losses. Additionally, the ease of exploitation means that attackers with minimal access can cause disproportionate harm, increasing the threat landscape. The absence of patches or mitigations at present exacerbates the risk, necessitating immediate defensive measures. Overall, the vulnerability poses a high risk to availability indirectly by enabling further attacks that could disrupt services or data integrity.

To mitigate CVE-2025-64061, European organizations should implement the following specific measures: 1) Immediately audit all Primakon Pi Portal instances to identify affected versions and exposed endpoints. 2) Restrict access to the /api/v2/users endpoint using network-level controls such as IP whitelisting or API gateway policies to limit which authenticated users or systems can query this endpoint. 3) Enforce strict role-based access controls (RBAC) within the application to ensure only authorized administrative users can access sensitive user data. 4) Monitor API logs and user activity for unusual access patterns or mass data retrieval attempts indicative of exploitation. 5) Encourage or enforce strong password policies and multi-factor authentication to reduce the impact of credential compromise. 6) Prepare for rapid deployment of vendor patches or updates once available, including testing in staging environments. 7) Consider implementing additional encryption or tokenization of sensitive data fields in API responses if possible. 8) Educate users about the risks of credential reuse and phishing to reduce the likelihood of initial account compromise. These targeted steps go beyond generic advice by focusing on immediate containment and detection strategies tailored to the specific vulnerability and its exploitation vector.