CVE-2025-66164 identifies a missing authorization vulnerability in the merkulove Laser product, specifically affecting versions up to and including 1.1.1. The core issue stems from incorrectly configured access control security levels, which means that the software fails to properly verify whether a user has the necessary permissions before allowing access to certain functions or data. This type of vulnerability can enable unauthorized users to perform actions or access information that should be restricted, potentially leading to data breaches or unauthorized system modifications. The vulnerability was reserved in late November 2025 and published in mid-December 2025, but no CVSS score has been assigned yet, nor are there any known exploits in the wild. The lack of a CVSS score suggests the vulnerability is newly disclosed and may not yet have been fully analyzed or exploited. However, missing authorization issues are generally considered serious because they can be exploited without authentication or user interaction, increasing the attack surface. The merkulove Laser product is used in certain digital or creative workflows, and improper access control could compromise sensitive project data or system integrity. The absence of patch links indicates that a fix may not yet be publicly available, emphasizing the need for immediate risk mitigation by affected organizations.

For European organizations, this vulnerability poses a significant risk to confidentiality and integrity, as unauthorized users could gain access to sensitive data or manipulate system functions without proper authorization. This could lead to data leaks, intellectual property theft, or disruption of business processes, especially in industries relying on merkulove Laser for digital content creation or management. The availability impact is likely limited unless the unauthorized access is leveraged to disrupt services. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once details become widely known. Organizations in sectors such as media, design, or any industry using merkulove Laser for critical workflows are particularly vulnerable. The potential for unauthorized access without authentication increases the urgency for mitigation. Additionally, regulatory compliance in Europe, such as GDPR, could be impacted if personal or sensitive data is exposed due to this vulnerability, leading to legal and financial consequences.

European organizations should immediately review and tighten access control configurations for merkulove Laser installations, ensuring that only authorized users have access to sensitive functions and data. Until an official patch is released, implement network segmentation to isolate systems running merkulove Laser from untrusted networks and users. Employ strict monitoring and logging of access attempts to detect any unauthorized activity early. Conduct internal audits to identify any misconfigurations in user roles and permissions within the software. If possible, disable or restrict features that do not require immediate use and could be exploited. Engage with merkulove support channels to obtain information on forthcoming patches or workarounds. Additionally, educate users about the risk and encourage vigilance for suspicious behavior. Finally, consider deploying application-layer firewalls or endpoint protection solutions that can enforce additional access controls or detect anomalous usage patterns related to merkulove Laser.