CVE-2025-67597 is a Missing Authorization vulnerability identified in Shahjahan Jewel's Fluent Booking software, affecting versions up to 1.9.11. The vulnerability stems from incorrectly configured access control security levels, which means that certain functions or data within the application can be accessed without proper authorization checks. This flaw allows an unauthenticated attacker, or one without elevated privileges, to exploit the system by tricking a user into performing an action (user interaction required), potentially exposing confidential information. The CVSS 3.1 base score of 4.3 reflects a medium severity, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), limited confidentiality impact (C:L), and no impact on integrity or availability (I:N/A:N). The vulnerability does not appear to have known exploits in the wild yet, but the misconfiguration of access controls is a common and critical security issue that can lead to unauthorized data access or leakage. The lack of patches at the time of publication suggests that organizations must proactively audit their access control settings and monitor for updates from the vendor. The vulnerability is particularly relevant for organizations using Fluent Booking to manage appointments or bookings, as unauthorized access could expose sensitive customer or business data.

For European organizations, the primary impact of CVE-2025-67597 is the potential unauthorized disclosure of confidential booking or customer data managed through Fluent Booking. This could lead to privacy violations, regulatory non-compliance (e.g., GDPR breaches), and reputational damage. Since the vulnerability does not affect integrity or availability, the risk of data tampering or service disruption is low. However, unauthorized access to sensitive information can facilitate further attacks such as social engineering or targeted phishing. Industries with high reliance on booking systems, such as healthcare, hospitality, and professional services, are particularly at risk. The medium severity score indicates that while the vulnerability is not critical, it still represents a significant security concern that should be addressed promptly to avoid exploitation, especially as user interaction is required, which could be induced via phishing or social engineering campaigns.

1. Immediately audit and review all access control configurations within Fluent Booking to ensure that authorization checks are correctly implemented for all sensitive functions and data. 2. Implement strict role-based access controls (RBAC) to limit user permissions to the minimum necessary. 3. Educate users about the risks of social engineering and phishing attacks that could trigger exploitation requiring user interaction. 4. Monitor network and application logs for unusual access patterns or unauthorized attempts to access restricted functions. 5. Apply vendor patches or updates as soon as they become available to address this vulnerability. 6. If patches are not yet available, consider deploying web application firewalls (WAFs) with custom rules to block suspicious requests targeting access control weaknesses. 7. Conduct penetration testing focused on access control mechanisms to identify and remediate similar misconfigurations. 8. Ensure that sensitive booking data is encrypted both at rest and in transit to minimize exposure in case of unauthorized access.