The vulnerability CVE-2025-64066 affects Primakon Pi Portal version 1.0.18, specifically the REST API endpoint /api/v2/user/register. This endpoint is intended to allow user registration through an external Identity Provider, with internal user creation restricted to administrators. However, due to a Broken Access Control flaw (CWE-284), the endpoint does not enforce any authorization checks on POST requests, enabling unauthenticated attackers to register new user accounts directly in the application's local database. This bypasses the intended security model and allows attackers to create arbitrary accounts without validation or approval. The vulnerability also permits enumeration of existing users by analyzing responses to registration attempts, which can be exploited for social engineering or further targeted attacks. The flaw can be chained with other vulnerabilities to escalate privileges and potentially achieve full compromise of the application environment. The CVSS 3.1 base score is 8.6, reflecting network attack vector, low attack complexity, no privileges or user interaction required, and high impact on integrity with limited impact on confidentiality and availability. No patches or public exploits are currently documented, but the vulnerability poses a significant risk to organizations using this software.

For European organizations using Primakon Pi Portal 1.0.18, this vulnerability presents a critical risk to application integrity and security. Unauthorized user account creation can lead to unauthorized access, privilege escalation, and potential full compromise of the portal and connected systems. The ability to enumerate users increases the risk of targeted phishing and social engineering attacks, which are common vectors for further breaches. Compromise of the portal could expose sensitive business data, disrupt operations, and damage trust with customers and partners. Given the portal’s role in identity and access management, exploitation could cascade into broader network infiltration. The vulnerability’s network accessibility and lack of required authentication make it particularly dangerous for externally facing deployments. European organizations in sectors such as finance, healthcare, government, and critical infrastructure, where identity management is crucial, could face severe operational and reputational damage if exploited.

Organizations should immediately audit their use of Primakon Pi Portal 1.0.18 and restrict access to the /api/v2/user/register endpoint to trusted networks or authenticated users only. Implement network-level controls such as firewalls or API gateways to block unauthorized POST requests to this endpoint. If possible, disable direct user registration via the local database and enforce registration exclusively through the external Identity Provider. Conduct thorough logging and monitoring of registration attempts to detect unusual activity or enumeration attempts. Review and harden access control policies within the application to ensure administrative functions cannot be bypassed. Engage with the vendor for patches or updates addressing this vulnerability and apply them promptly once available. Additionally, conduct penetration testing and vulnerability assessments to identify any chained vulnerabilities that could escalate the impact. Educate staff on social engineering risks related to user enumeration to reduce the likelihood of successful phishing attacks.