CVE-2025-64062 is a critical authentication and authorization bypass vulnerability found in Primakon Pi Portal version 1.0.18, specifically in the /api/V2/pp_users?email REST API endpoint. This endpoint is designed to filter user data based on the email parameter but lacks proper server-side validation to ensure that the email parameter corresponds to the authenticated user's session. An attacker can exploit this by manipulating the email parameter to an arbitrary value, such as another user's email address, effectively assuming that user's session and gaining full access to their data and privileges. More critically, if the email parameter is omitted or left blank, the application defaults to returning data for the first user in the system's user list, who is typically the application administrator. This results in an immediate privilege escalation, granting the attacker the highest level of access without needing to authenticate as the administrator. The vulnerability is classified under CWE-285 (Improper Authorization) and has a CVSS v3.1 base score of 8.8, indicating high severity. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), and only requires privileges of a normal user (PR:L) without user interaction (UI:N). The impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H) because the attacker can fully compromise user data and administrative functions. No patches or mitigations are currently listed, and no known exploits have been reported in the wild as of the publication date. This vulnerability poses a significant risk to any organization using the affected version of Primakon Pi Portal, especially where sensitive or critical data and administrative controls are involved.

For European organizations, the impact of CVE-2025-64062 is substantial. Unauthorized access to user accounts can lead to data breaches involving personal, financial, or operational information, violating GDPR and other data protection regulations. The ability to escalate privileges to an administrator level without proper authentication can result in full system compromise, including unauthorized configuration changes, data manipulation, and potential disruption of services. This can affect business continuity, damage reputation, and incur regulatory penalties. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely on Primakon Pi Portal for user management or administrative tasks are particularly vulnerable. The lack of user interaction and low complexity of exploitation increase the likelihood of successful attacks, potentially enabling lateral movement within networks. Additionally, the default fallback to the administrator account when the email parameter is blank presents a severe risk of immediate full system takeover. This vulnerability could be leveraged in targeted attacks or automated scanning campaigns, increasing exposure for European entities using this software.

To mitigate CVE-2025-64062, organizations should implement strict server-side validation to ensure that the email parameter in the /api/V2/pp_users endpoint matches the authenticated user's session identity. The application logic must reject any requests where the email parameter does not correspond to the session or is missing. Specifically, the system should never default to the first user or any privileged account when the email parameter is blank or invalid. Access control checks must be enforced at the API level to prevent unauthorized data access and privilege escalation. Organizations should audit their current deployments of Primakon Pi Portal to identify affected versions and restrict access to the vulnerable API endpoint through network segmentation or firewall rules until a patch is available. Monitoring and logging of API requests for unusual email parameter values or access patterns can help detect exploitation attempts. Where possible, multi-factor authentication should be enforced for administrative accounts to reduce the risk of compromise. Finally, organizations should engage with the vendor or community to obtain patches or updates addressing this vulnerability and apply them promptly once available.