CVE-2025-64064 is a critical access control vulnerability identified in Primakon Pi Portal version 1.0.18, specifically affecting the /api/v2/pp_users REST API endpoint. The vulnerability arises because the endpoint fails to adequately verify user permissions before processing PATCH requests that modify the PP_SECURITY_PROFILE_ID attribute, which controls user privilege levels. An attacker with any authenticated low-level user account can exploit this flaw by crafting a PATCH request with PP_SECURITY_PROFILE_ID set to 2, which corresponds to Administrator privileges. This results in unauthorized privilege escalation, granting the attacker full administrative control over the portal. The vulnerability is classified under CWE-284 (Improper Access Control) and has a CVSS v3.1 base score of 8.8, indicating a high-severity issue with network attack vector, low attack complexity, and no user interaction required. The impact includes full compromise of confidentiality, integrity, and availability of the affected system. Although no public exploits have been reported yet, the straightforward exploitation method and the critical nature of the flaw make it a significant risk. The vulnerability affects all deployments running the vulnerable version of Primakon Pi Portal, and no official patches were listed at the time of publication, necessitating immediate compensating controls.

For European organizations, this vulnerability poses a severe risk as it allows attackers to escalate privileges from a low-level user to an administrator without requiring user interaction or complex attack methods. This can lead to full system compromise, unauthorized data access, manipulation, or deletion, and disruption of services. Organizations using Primakon Pi Portal in sectors such as finance, healthcare, government, or critical infrastructure could face significant operational and reputational damage. The breach of administrator privileges could also facilitate lateral movement within networks, increasing the scope of potential damage. Given the network-exploitable nature of the vulnerability, attackers can exploit it remotely, increasing the threat surface. The lack of known exploits in the wild currently provides a window for mitigation, but the high severity demands urgent attention to prevent future exploitation.

1. Immediately restrict access to the /api/v2/pp_users endpoint to only trusted and necessary users, ideally limiting it to administrators via network segmentation or firewall rules. 2. Implement strict monitoring and alerting for any changes to user privilege levels, especially modifications to PP_SECURITY_PROFILE_ID. 3. Enforce multi-factor authentication (MFA) for all user accounts to reduce the risk of compromised credentials being used to exploit this vulnerability. 4. Conduct a thorough audit of existing user privileges to identify any unauthorized escalations and revert them. 5. Engage with Primakon to obtain and apply official patches or updates addressing this vulnerability as soon as they become available. 6. If patching is delayed, consider deploying a Web Application Firewall (WAF) with custom rules to detect and block PATCH requests attempting to modify PP_SECURITY_PROFILE_ID. 7. Educate users about the importance of reporting suspicious account behavior promptly. 8. Review and tighten API authentication and authorization mechanisms to prevent similar flaws in the future.