CVE-2025-64067 affects Primakon Pi Portal version 1.0.18, specifically its API endpoints responsible for retrieving object-specific or filtered data such as user profiles and project records. The vulnerability stems from insufficient server-side authorization validation, allowing attackers to bypass access controls. Two exploitation methods exist: direct ID manipulation (IDOR) where an attacker alters parameters like user_id or project_id to access data belonging to other users, and filter omission, where removing filtering parameters causes the API to return entire unfiltered datasets containing all stored records. This results in unauthorized exposure of sensitive personal and organizational data, potentially including confidential user information and project details. The vulnerability does not require authentication or complex user interaction, increasing its risk profile. Although no CVSS score has been assigned and no known exploits are reported, the flaw represents a significant security gap. The lack of patch information suggests that affected organizations must proactively implement mitigations. The vulnerability highlights the critical importance of enforcing strict server-side authorization checks and validating all input parameters to prevent unauthorized data access in API-driven applications.

For European organizations, this vulnerability could lead to significant data breaches involving personal data protected under GDPR, as well as exposure of sensitive business information. Unauthorized access to user profiles and project data can result in privacy violations, reputational damage, regulatory fines, and potential intellectual property theft. The ability to retrieve entire datasets without restriction amplifies the risk of mass data leakage. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely on Primakon Pi Portal for project or user management are particularly at risk. The breach of confidentiality could also facilitate further attacks, including social engineering or targeted intrusions. Given the lack of authentication requirements for exploitation, attackers could operate remotely and anonymously, increasing the threat surface. The absence of known exploits provides a window for mitigation, but the potential impact remains high if exploited.

European organizations using Primakon Pi Portal 1.0.18 should immediately audit all API endpoints for proper authorization checks. Implement strict server-side validation to ensure that users can only access data they are authorized to view, including verifying ownership or access rights for each requested object or dataset. Enforce mandatory filtering parameters and reject requests missing these filters to prevent unfiltered data exposure. Employ robust input validation and parameter sanitization to prevent ID manipulation attacks. Monitor API access logs for unusual patterns indicative of IDOR or filter omission exploitation attempts. If possible, restrict API access through network segmentation or VPNs to trusted users only. Engage with the vendor for official patches or updates and apply them promptly once available. Additionally, conduct regular security assessments and penetration testing focused on API authorization controls. Implement data encryption at rest and in transit to mitigate data exposure risks in case of unauthorized access.