CVE-2025-64067 identifies a security vulnerability in Primakon Pi Portal version 1.0.18, specifically in its API endpoints responsible for retrieving object-specific or filtered data such as user profiles and project records. The core issue is the lack of sufficient server-side validation to verify that the requesting user is authorized to access the requested resource. This results in two primary exploitation methods: first, direct ID manipulation or Insecure Direct Object Reference (IDOR), where an attacker alters an ID parameter (e.g., user_id or project_id) in the API request to access data belonging to other users; second, filter omission, where the attacker omits filtering parameters entirely, causing the API to return an unfiltered dataset containing all stored records across users. This vulnerability falls under CWE-639, which relates to authorization bypass through improper validation. The vulnerability does not require authentication or user interaction, making it remotely exploitable over the network with low attack complexity. The CVSS 3.1 base score is 5.3, indicating a medium severity primarily due to confidentiality impact without affecting integrity or availability. No patches or known exploits have been reported yet. The vulnerability exposes sensitive personal and organizational data, potentially leading to privacy violations, compliance issues, and reputational damage for affected organizations.

For European organizations, the unauthorized exposure of sensitive personal and organizational data can have significant consequences. This includes violations of the EU General Data Protection Regulation (GDPR), which mandates strict controls over personal data access and disclosure. Data leakage could lead to regulatory fines, legal liabilities, and loss of customer trust. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely on Primakon Pi Portal for managing sensitive data are particularly at risk. The vulnerability could facilitate insider threats or external attackers gaining access to confidential information, potentially enabling further attacks such as social engineering or targeted phishing. Although the vulnerability does not impact system integrity or availability, the confidentiality breach alone can disrupt business operations and damage organizational reputation. Given the ease of exploitation without authentication, attackers can remotely access data, increasing the threat surface for European entities using this software.

Organizations should immediately implement strict server-side authorization checks to ensure that API requests are validated against the requesting user's permissions before returning any data. This includes verifying that the user is authorized to access the specific object identified by any ID parameters and enforcing filtering parameters to prevent unfiltered data retrieval. Input validation should be enhanced to reject requests with manipulated or missing filter parameters. Conduct a thorough code review of all API endpoints handling sensitive data to identify and remediate similar authorization flaws. Employ logging and monitoring to detect unusual access patterns or large data retrievals indicative of exploitation attempts. If possible, restrict API access to trusted networks or authenticated users until patches or fixes are available. Engage with the vendor for official patches or updates and apply them promptly once released. Additionally, conduct regular security assessments and penetration testing focused on API authorization controls to prevent recurrence.