CVE-2025-66911 identifies a broken access control vulnerability in the Turms IM Server, specifically in versions v0.10.0-SNAPSHOT and earlier. The vulnerability resides in the handleQueryUserOnlineStatusesRequest() method within UserServiceController.java, which is responsible for handling requests to query user online statuses. Due to insufficient authorization checks, any authenticated user can query the online status, device information, and login timestamps of arbitrary users. This flaw allows attackers to gather sensitive user metadata without needing elevated privileges or additional user interaction. Although no exploits have been reported in the wild, the vulnerability poses a significant privacy risk and could facilitate further targeted attacks by providing reconnaissance data. The lack of a CVSS score requires an assessment based on the impact on confidentiality and the ease of exploitation. Since the vulnerability exposes sensitive user information and requires only authentication, it is considered a high-severity issue. The affected software is used for instant messaging services, which are critical communication tools in many organizations. The vulnerability could be exploited internally or by compromised accounts to harvest user activity data, potentially violating privacy regulations such as GDPR. The absence of patch links suggests that users should monitor vendor advisories for updates or apply custom access control measures. Detection and monitoring of unusual query patterns can help mitigate exploitation risks until patches are available.

For European organizations, the impact of CVE-2025-66911 is primarily on user privacy and data confidentiality. Exposure of online status, device information, and login timestamps can lead to privacy violations under GDPR and other data protection laws, potentially resulting in regulatory fines and reputational damage. Attackers could use this information for social engineering, targeted phishing, or lateral movement within networks. Organizations relying on Turms IM Server for internal communications risk insider threats or compromised accounts exploiting this vulnerability to surveil user activity. The breach of device information could also reveal endpoint details that aid in further exploitation. The impact on availability and integrity is limited, but the confidentiality breach alone is significant. European companies in sectors with strict privacy requirements, such as finance, healthcare, and government, are particularly vulnerable to compliance and trust issues arising from this flaw.

To mitigate CVE-2025-66911, organizations should first verify if they are running affected versions of Turms IM Server (v0.10.0-SNAPSHOT or earlier). Immediate steps include implementing strict authorization checks on the handleQueryUserOnlineStatusesRequest() method to ensure only authorized users can query others' online status and related metadata. If vendor patches are released, apply them promptly. Until patches are available, consider network segmentation and access controls to limit who can authenticate and access the IM server. Enable detailed logging and monitoring of user status queries to detect anomalous or excessive requests indicative of exploitation attempts. Conduct regular audits of user permissions and review authentication mechanisms to prevent compromised accounts from abusing this vulnerability. Additionally, educate users about the risks of credential compromise and enforce strong authentication policies, such as multi-factor authentication, to reduce the likelihood of unauthorized access. Finally, review privacy policies and incident response plans to prepare for potential data exposure scenarios.