CVE-2025-64309 is a vulnerability classified under CWE-523 (Insufficient Protection of Credentials) found in Brightpick AI's Brightpick Mission Control / Internal Logic Control product. The flaw arises because the product discloses sensitive information—including device telemetry, configuration details, and credential data—via WebSocket traffic to any unauthenticated user who connects to a specific URL endpoint. This URL is not protected and can be discovered through straightforward network scanning techniques, such as port scanning or service enumeration. The vulnerability affects all versions of the product, indicating a systemic design or implementation flaw. The CVSS v3.1 base score is 8.6, reflecting a high severity due to the vulnerability's network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact is high on confidentiality (C:H), with no impact on integrity (I:N) or availability (A:N). This means attackers can exfiltrate sensitive information without altering or disrupting system operations. Although no known exploits have been reported in the wild yet, the ease of discovery and exploitation makes this a critical concern. The vulnerability could be leveraged by attackers to gather intelligence for further attacks, including credential theft or lateral movement within networks. The lack of available patches at the time of publication necessitates immediate mitigation through network controls and monitoring.

For European organizations, the exposure of device telemetry, configuration, and credential information can lead to severe confidentiality breaches, potentially enabling attackers to compromise operational technology (OT) environments or industrial control systems (ICS). This is particularly critical for sectors such as manufacturing, energy, transportation, and utilities, where Brightpick AI's solutions may be deployed for mission control and internal logic management. Unauthorized access to credentials can facilitate further intrusions, privilege escalation, or persistent access, increasing the risk of espionage, sabotage, or data theft. The vulnerability does not directly affect system integrity or availability, but the information disclosed could be used to plan disruptive attacks. Given the interconnected nature of European critical infrastructure and the increasing adoption of AI-driven control systems, the threat could have cascading effects on supply chains and service continuity. Organizations lacking proper network segmentation or monitoring are especially vulnerable. The absence of known exploits currently provides a window for proactive defense, but the ease of exploitation and high confidentiality impact underscore the urgency of mitigation.

1. Immediately implement strict network segmentation to isolate Brightpick Mission Control interfaces from general network access, restricting them to trusted administrative networks only. 2. Employ firewall rules and access control lists (ACLs) to block unauthorized inbound connections to the WebSocket endpoints, especially from external or untrusted networks. 3. Monitor network traffic for unusual WebSocket connection attempts or data exfiltration patterns targeting the specific URL or related services. 4. Conduct internal network scans to identify and remediate any exposed management interfaces or services. 5. Enforce strong credential management policies, including rotation and use of multi-factor authentication where possible, to limit the impact of credential disclosure. 6. Engage with Brightpick AI for updates on patches or security advisories and plan for timely application of fixes once available. 7. Consider deploying intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation attempts targeting this vulnerability. 8. Train security teams to recognize signs of reconnaissance activity that could precede exploitation. 9. Review and harden WebSocket implementations and configurations to ensure no sensitive data is transmitted without proper authentication and encryption. 10. Document and test incident response plans to quickly address potential breaches stemming from this vulnerability.