CVE-2025-6513 is a critical vulnerability identified in the BRAIN2 application developed by Bizerba SE & Co. KG. The vulnerability is categorized under CWE-260, which pertains to the storage of passwords in configuration files. Specifically, standard Windows users—those without elevated privileges—can access the configuration file that contains database access credentials. These credentials are stored in an encrypted form; however, the encryption can be reversed or decrypted by these users, effectively exposing sensitive authentication information. This exposure allows unauthorized users to gain access to the database backend with potentially full privileges. The vulnerability has a CVSS v3.1 base score of 9.3, indicating a critical severity level. The CVSS vector (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) highlights that the attack requires local access (AV:L) but no privileges (PR:N) or user interaction (UI:N), and the scope is changed (S:C), meaning the vulnerability affects resources beyond the initially compromised component. The impact on confidentiality, integrity, and availability is high, as attackers can fully compromise the database, potentially leading to data theft, manipulation, or service disruption. No patches or known exploits in the wild have been reported as of the publication date (June 23, 2025). The affected version is listed as 0.0, which likely refers to an initial or specific release of the BRAIN2 software. The vulnerability arises from improper protection of sensitive credentials in configuration files accessible by standard users, which is a critical security design flaw in the application’s deployment on Windows systems.

For European organizations using Bizerba's BRAIN2 application, this vulnerability poses a significant risk. The ability for non-privileged users to decrypt database credentials can lead to unauthorized data access, including sensitive business or customer information stored in the database. This can result in data breaches, regulatory non-compliance (e.g., GDPR violations), financial losses, and reputational damage. The integrity of data can be compromised if attackers modify database contents, potentially affecting operational processes that rely on accurate data. Availability may also be impacted if attackers disrupt database services or delete critical data. Given Bizerba’s prominence in industrial weighing and labeling solutions, sectors such as manufacturing, logistics, retail, and food processing across Europe could be affected. The vulnerability’s local attack vector means that insider threats or attackers who gain initial access to a workstation can escalate their privileges to compromise backend systems. This elevates the risk in environments with shared workstations or insufficient endpoint security controls. The critical severity underscores the urgency for affected organizations to address this vulnerability to prevent potential exploitation that could disrupt business continuity and violate data protection laws.

1. Restrict file system permissions: Immediately review and tighten NTFS permissions on the BRAIN2 configuration files to ensure only highly trusted administrative accounts have read access. Remove access for standard users wherever possible. 2. Implement application-level encryption: Advocate for or implement stronger encryption mechanisms for stored credentials that are not easily reversible by local users, such as using Windows Data Protection API (DPAPI) or hardware security modules (HSMs). 3. Network segmentation: Isolate systems running BRAIN2 and its database backend from general user workstations to limit local access vectors. 4. Monitor and audit access: Deploy file integrity monitoring and audit logs on configuration files and database access to detect unauthorized access attempts promptly. 5. Use endpoint protection: Employ endpoint detection and response (EDR) solutions to detect suspicious activities indicative of credential extraction or lateral movement. 6. Vendor engagement: Engage with Bizerba for patches or updates addressing this vulnerability and apply them as soon as they become available. 7. Credential rotation: Rotate database credentials regularly and immediately after any suspected compromise. 8. Least privilege principle: Ensure database accounts used by BRAIN2 have the minimum necessary privileges to limit potential damage if credentials are compromised. 9. User training: Educate users about the risks of local credential exposure and enforce policies to prevent unauthorized access to sensitive files.