CVE-2025-64065 identifies a critical broken function level authorization vulnerability in the Primakon Pi Portal version 1.0.18, specifically within the /api/V2/pp_udfv_admin API endpoint. This endpoint exposes an administrative feature called LoginAs or user impersonation, which is intended to allow privileged users to assume the identity of other users for administrative purposes. However, the API fails to enforce proper server-side privilege checks, allowing any authenticated user with low privileges to send a crafted PATCH request to this endpoint and impersonate any arbitrary user, including administrators. The vulnerability stems from an insecure design that permits session switching without requiring the target user's password or an administrative token, relying solely on the target user's email address. This broken function level authorization (CWE-285) flaw enables attackers to escalate privileges, bypass access controls, and gain unauthorized administrative access. The vulnerability is remotely exploitable over the network without user interaction, and the CVSS 3.1 base score of 8.8 reflects its high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the ease of exploitation and severity make this a critical risk. The lack of available patches at the time of publication necessitates immediate compensating controls and monitoring. This vulnerability could lead to full system compromise, data breaches, and disruption of services in environments using the affected Primakon Pi Portal version.

For European organizations, the impact of CVE-2025-64065 is substantial. Exploitation allows attackers to impersonate any user, including administrators, resulting in complete loss of confidentiality, integrity, and availability of the affected system. This can lead to unauthorized data access, modification, or deletion, disruption of business operations, and potential lateral movement within networks. Organizations handling sensitive personal data, financial information, or critical infrastructure are at heightened risk of regulatory penalties under GDPR and other data protection laws if breaches occur. The vulnerability's ease of exploitation means that even low-privileged insiders or compromised user accounts can escalate privileges rapidly, increasing insider threat risks. Additionally, the ability to impersonate administrators can facilitate further attacks, such as deploying malware, altering configurations, or exfiltrating data. The lack of user interaction and remote exploitability further exacerbate the threat, making timely detection and response challenging. Overall, this vulnerability could severely undermine trust in affected applications and cause significant operational and reputational damage across European sectors.

To mitigate CVE-2025-64065 effectively, organizations should implement the following specific measures: 1) Immediately restrict access to the /api/V2/pp_udfv_admin endpoint using network-level controls such as IP whitelisting or VPNs to limit exposure. 2) Enforce strict server-side authorization checks ensuring that only users with verified administrative privileges can invoke the LoginAs functionality. This includes validating the caller's role before processing impersonation requests. 3) Require multi-factor authentication (MFA) for all administrative accounts to reduce the risk of compromised credentials being leveraged. 4) Implement logging and real-time monitoring of PATCH requests to the vulnerable endpoint, with alerts for anomalous impersonation attempts or unusual user switching activities. 5) Conduct thorough audits of user sessions and privilege escalations to detect potential abuse. 6) If possible, disable or remove the LoginAs feature temporarily until a secure patch or update is available from the vendor. 7) Engage with Primakon to obtain security patches or updates addressing this vulnerability and apply them promptly once released. 8) Educate users and administrators about the risks of privilege escalation and the importance of safeguarding credentials. These targeted actions go beyond generic advice by focusing on access control hardening, monitoring, and vendor coordination specific to this vulnerability.