The vulnerability identified as CVE-2025-66911 affects Turms IM Server versions 0.10.0-SNAPSHOT and earlier. It is a broken access control issue classified under CWE-639 (Authorization Bypass Through User-Controlled Key) and CWE-284 (Improper Access Control). Specifically, the method handleQueryUserOnlineStatusesRequest() in UserServiceController.java fails to enforce proper authorization checks when processing requests to query user online statuses. As a result, any authenticated user can retrieve sensitive information about other users, including their online presence, device information, and login timestamps. This exposure compromises user privacy and confidentiality, potentially enabling further targeted attacks or social engineering. The vulnerability has a CVSS 3.1 base score of 6.5, indicating medium severity, with an attack vector over the network, low attack complexity, requiring privileges (authenticated user), no user interaction, and impacting confidentiality only. No integrity or availability impact is noted. No public exploits have been reported yet, but the vulnerability's nature makes it a significant privacy concern in environments where Turms IM Server is deployed. The lack of proper authorization checks suggests a design or implementation flaw in access control mechanisms within the user service component.

For European organizations, the primary impact is the unauthorized disclosure of sensitive user metadata such as online status, device details, and login timestamps. This can lead to privacy violations, regulatory non-compliance (e.g., GDPR), and potential reputational damage. Attackers with valid credentials could map user activity patterns, infer organizational structures, or identify high-value targets for further attacks. While the vulnerability does not allow direct data modification or service disruption, the confidentiality breach alone is significant, especially in sectors handling sensitive communications such as finance, healthcare, or government. Organizations relying on Turms IM Server for internal or customer communications may face increased risk of insider threats or external attackers leveraging compromised credentials. The absence of known exploits provides a window for remediation, but the medium severity score warrants timely action to prevent escalation.

To mitigate this vulnerability, organizations should first verify if they are running affected versions of Turms IM Server (v0.10.0-SNAPSHOT or earlier). Immediate steps include restricting access to the user online status query API to only highly trusted roles or administrators through network segmentation or API gateway policies. Implement additional authorization checks at the application layer to ensure users can only query their own status or those they are explicitly permitted to view. Monitoring and logging access to this functionality can help detect anomalous queries indicative of exploitation attempts. If patches or updates become available from the vendor, prioritize their deployment. In the absence of patches, consider disabling or limiting the affected functionality temporarily. Educate users on credential security to reduce risk from compromised accounts. Finally, conduct regular access control audits and penetration testing focused on authorization mechanisms to prevent similar issues.