CVE-2025-64064 is a critical privilege escalation vulnerability found in Primakon Pi Portal version 1.0.18, specifically in the /api/v2/pp_users REST API endpoint. This endpoint accepts PATCH requests intended to update user attributes, including the PP_SECURITY_PROFILE_ID, which controls user privilege levels. Due to inadequate access control validation, the API fails to verify whether the requesting user has the necessary permissions to modify this sensitive attribute. Consequently, any authenticated user with low-level privileges can craft a PATCH request containing PP_SECURITY_PROFILE_ID=2, which corresponds to Administrator-level access, thereby escalating their privileges without authorization. This vulnerability stems from weak or missing authorization checks on the server side, representing a classic broken access control issue. Although no public exploits have been reported yet, the vulnerability's nature makes it highly exploitable by insiders or attackers who have obtained low-level credentials. The impact of successful exploitation includes unauthorized administrative access, enabling attackers to manipulate system configurations, access sensitive data, create or delete users, and potentially disrupt system operations. The lack of a CVSS score suggests the vulnerability is newly disclosed, but the technical details indicate a high severity due to the direct privilege escalation vector and the critical nature of administrative privileges. Organizations using Primakon Pi Portal should urgently assess their exposure, implement compensating controls, and monitor API usage for anomalous privilege modifications. The absence of official patches at the time of disclosure necessitates immediate mitigation steps to prevent exploitation.

For European organizations, exploitation of CVE-2025-64064 could have severe consequences. Unauthorized privilege escalation to Administrator level compromises the confidentiality, integrity, and availability of the affected systems. Attackers gaining administrative access can exfiltrate sensitive data, alter or delete critical information, disrupt business operations, and potentially pivot to other network segments. Organizations in sectors such as government, finance, healthcare, and critical infrastructure that rely on Primakon Pi Portal for user management or operational control are particularly vulnerable. The breach of administrative credentials can lead to regulatory non-compliance, financial losses, reputational damage, and operational downtime. Given the centralized nature of user management in many enterprises, a single exploited instance could cascade into broader network compromise. The lack of known exploits currently provides a window for proactive defense, but the ease of exploitation means the threat is imminent once attackers become aware. European entities must consider the risk of insider threats and external attackers who may have obtained low-level credentials through phishing or other means.

1. Immediately restrict access to the /api/v2/pp_users endpoint to only trusted and necessary users, ideally limiting it to administrators. 2. Implement strict server-side authorization checks to validate that any request to modify PP_SECURITY_PROFILE_ID is performed only by users with existing administrative privileges. 3. Monitor API logs for unusual PATCH requests attempting to change PP_SECURITY_PROFILE_ID values, especially those originating from low-privilege accounts. 4. Employ multi-factor authentication (MFA) for all user accounts to reduce the risk of credential compromise. 5. If possible, disable or isolate the vulnerable API endpoint until a vendor patch is available. 6. Conduct regular audits of user privilege assignments to detect unauthorized escalations. 7. Engage with Primakon support or vendor channels to obtain or request a security patch addressing this vulnerability. 8. Educate users about the risks of credential theft and enforce strong password policies. 9. Use network segmentation to limit the impact of compromised accounts. 10. Prepare incident response plans specifically addressing privilege escalation scenarios.