CVE-2025-64066 identifies a Broken Access Control vulnerability in the Primakon Pi Portal version 1.0.18, specifically targeting the REST API endpoint /api/v2/user/register. This endpoint is designed to allow user registration; however, it fails to enforce any authorization checks, permitting unauthenticated attackers to perform POST requests to create new user accounts directly in the application's local database. The security architecture of the portal relies on an external Identity Provider (IdP) for initial user registration, with the assumption that internal user creation is restricted to administrative personnel only. By bypassing this mechanism, attackers can introduce unauthorized accounts, potentially with elevated privileges if combined with other vulnerabilities. Additionally, the endpoint can be abused to enumerate existing user accounts, which can facilitate social engineering attacks or targeted exploitation. Although no public exploits have been reported yet, the vulnerability presents a significant risk due to the lack of authentication and authorization barriers. The vulnerability could be leveraged to gain unauthorized access, escalate privileges, and compromise the integrity and confidentiality of the application and its data. The absence of a CVSS score indicates that this vulnerability is newly published and requires immediate attention. The vulnerability affects the core user management functionality, making it a critical vector for attackers aiming to infiltrate the system.

For European organizations, the impact of CVE-2025-64066 can be severe. Unauthorized user account creation undermines the integrity of identity and access management, potentially allowing attackers to gain footholds within enterprise environments. This can lead to unauthorized data access, manipulation, or deletion, impacting confidentiality and integrity. The ability to enumerate users aids attackers in crafting targeted phishing or social engineering campaigns, increasing the likelihood of successful attacks. If chained with privilege escalation vulnerabilities, attackers could achieve full application compromise, leading to lateral movement within networks and exposure of sensitive information. Organizations in regulated sectors such as finance, healthcare, and critical infrastructure face heightened risks due to compliance requirements and the sensitivity of their data. The lack of authentication on a critical endpoint also increases the attack surface, making it easier for threat actors to exploit this vulnerability remotely without user interaction. This could result in operational disruptions, reputational damage, and financial losses.

To mitigate this vulnerability, organizations should immediately implement strict access control mechanisms on the /api/v2/user/register endpoint to ensure that only authorized entities can create user accounts. This includes enforcing authentication and authorization checks consistent with the intended security architecture relying on the external Identity Provider. Input validation and rate limiting should be applied to prevent abuse and enumeration attempts. Audit logging should be enabled to monitor and alert on suspicious registration activities. If possible, disable direct user registration via the API and funnel all user creation through the external IdP or administrative interfaces. Conduct a thorough review of user management workflows and permissions to ensure no other endpoints allow unauthorized user creation. Organizations should also apply any available patches or updates from the vendor once released. Additionally, perform regular security assessments and penetration testing to detect similar access control weaknesses. Employee training on recognizing social engineering attempts can reduce the risk posed by user enumeration.