CVE-2025-64065 identifies a severe security vulnerability in the Primakon Pi Portal version 1.0.18, specifically targeting the API endpoint /api/V2/pp_udfv_admin. The vulnerability stems from a broken function level authorization mechanism combined with insecure design choices. The affected endpoint exposes a LoginAs or user impersonation feature that fails to validate the privileges of the caller properly. As a result, any authenticated user with low privileges can craft a direct PATCH HTTP request to impersonate any arbitrary user, including high-privilege administrators, by supplying only the target user's email address. This bypasses typical authentication requirements such as the target user's password or an administrative token, enabling unauthorized session switching. The lack of server-side validation means the system trusts the request without verifying if the requester has the right to perform impersonation. This flaw compromises the confidentiality and integrity of user accounts and can lead to full administrative control over the application, allowing attackers to manipulate data, escalate privileges, and disrupt services. Although no known exploits are currently reported in the wild, the vulnerability's nature and ease of exploitation make it a significant threat. The absence of a CVSS score necessitates an expert severity assessment, which rates this vulnerability as critical due to its potential impact and exploitation simplicity. The vulnerability affects all deployments of Primakon Pi Portal 1.0.18 and possibly earlier versions if they share the same codebase. Organizations relying on this portal for administrative tasks or user management must urgently address this issue to prevent unauthorized access and potential data breaches.

For European organizations, the impact of CVE-2025-64065 is substantial. Successful exploitation allows attackers to impersonate any user, including administrators, leading to unauthorized access to sensitive data, modification or deletion of critical information, and potential disruption of services. This can result in data breaches, loss of trust, regulatory non-compliance (e.g., GDPR violations), and financial penalties. Sectors such as finance, healthcare, government, and critical infrastructure that use Primakon Pi Portal for user management or administrative functions are particularly vulnerable. The ability to escalate privileges without detection can facilitate lateral movement within networks, increasing the risk of broader compromise. Additionally, the impersonation capability can be leveraged for fraud, espionage, or sabotage. The lack of authentication requirements for impersonation exacerbates the risk, making it easier for insider threats or external attackers with low-level access to cause significant damage. Given the interconnected nature of European IT environments, a successful attack could have cascading effects across supply chains and partner organizations.

To mitigate CVE-2025-64065, organizations should immediately implement the following measures: 1) Restrict access to the /api/V2/pp_udfv_admin endpoint to only trusted administrative IP addresses or networks using network-level controls such as firewalls or API gateways. 2) Implement strict server-side authorization checks to verify that the requesting user has the appropriate privileges before allowing any impersonation or session switching actions. 3) Require multi-factor authentication (MFA) for all administrative and impersonation-related functions to add an additional security layer. 4) Introduce logging and monitoring of all impersonation attempts and PATCH requests to detect and respond to suspicious activities promptly. 5) Conduct a thorough code review and security audit of the user impersonation functionality to identify and remediate insecure design flaws. 6) If possible, disable the LoginAs feature temporarily until a secure patch or update is available. 7) Engage with the vendor or development team to obtain and apply security patches or updates addressing this vulnerability. 8) Educate users and administrators about the risks of impersonation features and enforce the principle of least privilege to minimize exposure. 9) Perform regular penetration testing and vulnerability assessments focusing on access control mechanisms to prevent similar issues.