CVE-2025-64061 identifies an access control vulnerability in the Primakon Pi Portal version 1.0.18, specifically affecting the /api/v2/users REST API endpoint. This endpoint lacks proper authorization checks, allowing any authenticated user—regardless of their privilege level—to perform a GET request and obtain a complete, unfiltered list of all registered users within the application. Critically, the API response includes password hashes, which are sensitive credentials that, if compromised, can be subjected to offline brute-force or dictionary attacks to recover plaintext passwords. The vulnerability stems from deficient access control mechanisms (CWE-497), where privilege separation is not enforced, exposing sensitive data to low-privileged users. The CVSS v3.1 base score is 4.3 (medium severity), reflecting network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), limited confidentiality impact (C:L), and no integrity or availability impact (I:N/A:N). No patches or known exploits are currently available. The vulnerability does not allow modification or deletion of data but poses a significant risk of credential exposure and subsequent lateral movement or privilege escalation if password hashes are cracked. The issue highlights the importance of enforcing strict access controls on sensitive API endpoints and protecting credential data even from authenticated users with limited privileges.

For European organizations using Primakon Pi Portal 1.0.18, this vulnerability could lead to unauthorized disclosure of user credentials, increasing the risk of account compromise. Attackers with any authenticated access could harvest password hashes and attempt offline cracking, potentially escalating privileges or moving laterally within the network. This could lead to unauthorized access to sensitive systems, data breaches, or disruption of business operations. The exposure of password hashes also undermines user trust and may have regulatory implications under GDPR due to inadequate protection of personal data. While the vulnerability does not directly allow data modification or service disruption, the indirect consequences of credential compromise can be severe, especially for organizations with critical infrastructure or sensitive data. The medium CVSS score indicates moderate risk, but the actual impact depends on the strength of password hashing algorithms used and the organization's overall security posture. European entities with large user bases or high-value targets are particularly at risk.

1. Immediately restrict access to the /api/v2/users endpoint to only highly privileged users or administrative roles through proper access control enforcement. 2. Implement role-based access control (RBAC) or attribute-based access control (ABAC) to ensure that low-privileged users cannot access sensitive user data. 3. Monitor API logs for unusual or excessive GET requests to the /api/v2/users endpoint, especially from low-privileged accounts, and investigate anomalies. 4. Enforce strong password hashing algorithms (e.g., bcrypt, Argon2) with adequate work factors to reduce the risk of offline cracking if hashes are exposed. 5. Conduct a thorough audit of user privileges and remove unnecessary access rights to minimize the attack surface. 6. If possible, apply virtual patching via web application firewalls (WAFs) to block unauthorized requests to the vulnerable endpoint until an official patch is released. 7. Educate users about the risk of credential compromise and enforce multi-factor authentication (MFA) to mitigate the impact of stolen credentials. 8. Engage with the vendor to obtain patches or updates addressing this vulnerability and plan for timely deployment once available.