CVE-2025-66086 identifies a Missing Authorization vulnerability in Cozy Vision's SMS Alert Order Notifications product, specifically in versions up to 3.8.8. The vulnerability stems from incorrectly configured access control security levels, which fail to properly restrict access to SMS alert order notifications. This misconfiguration allows remote attackers to access sensitive notification data without requiring any privileges or user interaction. The CVSS v3.1 base score is 5.3, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and limited confidentiality impact (C:L) with no integrity or availability impact (I:N/A:N). The vulnerability does not require authentication, making it easier to exploit remotely. However, it only leaks limited confidential information related to SMS alert orders rather than allowing full system compromise or data manipulation. There are no known public exploits or patches available at the time of publication, which suggests organizations should proactively assess and secure affected systems. The vulnerability primarily threatens confidentiality by exposing order notification data, which could be leveraged for further social engineering or operational disruption. Cozy Vision's SMS Alert Order Notifications are typically used in environments where SMS alerts are critical for order tracking and customer communication, making confidentiality breaches potentially impactful. The lack of patches necessitates immediate mitigation through access control reviews and network segmentation to limit exposure.

For European organizations, the primary impact of CVE-2025-66086 is the unauthorized disclosure of SMS alert order notification data. This could lead to leakage of sensitive operational information, customer order details, or business process insights, which may be exploited for fraud, social engineering, or competitive intelligence. Sectors such as retail, logistics, and telecommunications that rely heavily on SMS alerting for order management are particularly at risk. Although the vulnerability does not affect system integrity or availability, the confidentiality breach could undermine customer trust and regulatory compliance, especially under GDPR requirements for protecting personal data. The ease of remote exploitation without authentication increases the risk of widespread unauthorized access if the product is exposed to untrusted networks. However, the absence of known exploits and the medium severity score indicate that while the threat is real, it is not currently critical. Organizations that have integrated Cozy Vision SMS Alert Order Notifications into their operational workflows should prioritize assessment and mitigation to prevent potential data leaks and reputational damage.

1. Immediately review and tighten access control configurations on all Cozy Vision SMS Alert Order Notifications deployments to ensure proper authorization checks are enforced. 2. Restrict network access to the SMS Alert Order Notifications service by implementing firewall rules or network segmentation, limiting exposure to trusted internal networks only. 3. Monitor logs and network traffic for unusual or unauthorized access attempts to the SMS alert notification endpoints. 4. Engage with Cozy Vision or authorized vendors to obtain patches or updates addressing this vulnerability as they become available. 5. Implement multi-factor authentication and role-based access controls where possible to add layers of security around sensitive notification data. 6. Conduct regular security audits and penetration testing focusing on access control mechanisms within the SMS alerting infrastructure. 7. Educate operational and security teams about the risks of missing authorization vulnerabilities and the importance of strict access controls. 8. Consider alternative secure notification mechanisms if immediate patching or mitigation is not feasible. These steps go beyond generic advice by focusing on network-level restrictions, proactive monitoring, and vendor engagement specific to this product and vulnerability context.