CVE-2025-67719 is a vulnerability classified under CWE-620 (Unverified Password Change) affecting Ibexa's user management component in versions from 5.0.0-beta1 up to but not including 5.0.4. During the upgrade from version 4 to 5, a regression was introduced that bypasses the validation of the current password when a logged-in user attempts to change their password in the back-office interface. This means that any authenticated user can change their password without supplying the previous password, undermining the integrity of the authentication process. The vulnerability does not require elevated privileges beyond a valid user session, nor does it require user interaction beyond the password change action itself. The attack vector is local (AV:L), meaning the attacker must have access to an active session on the system, such as through an unattended workstation or hijacked session. The CVSS 4.0 score is 8.5 (high), reflecting the significant impact on confidentiality and integrity, as an attacker can lock out legitimate users by changing their passwords. No known exploits are currently reported in the wild. The issue is resolved in Ibexa version 5.0.4, where proper password validation is restored. This vulnerability primarily impacts organizations relying on Ibexa for digital experience management, especially those with insufficient session management or workstation security policies.

For European organizations, this vulnerability poses a risk of account lockout and potential denial of access to critical back-office systems managing digital experiences, content, and customer interactions. Attackers with physical or remote access to an active user session can change passwords without knowing the original credentials, leading to potential operational disruptions and loss of control over user accounts. This can affect service availability, user trust, and compliance with data protection regulations such as GDPR if unauthorized access leads to data exposure or service interruption. Organizations with shared workstations, insufficient session timeout policies, or lax physical security controls are particularly vulnerable. The impact extends to reputational damage and potential financial losses due to downtime or recovery efforts. Since Ibexa is used by enterprises for customer-facing platforms, disruption can also affect end-user experience and business continuity.

1. Upgrade all Ibexa installations to version 5.0.4 or later immediately to ensure the password validation bug is fixed. 2. Enforce strict session management policies, including automatic session timeouts and mandatory workstation locking when unattended. 3. Implement multi-factor authentication (MFA) to reduce risk from compromised sessions. 4. Monitor logs for unusual password change activities and implement alerts for rapid response. 5. Educate users on the importance of locking their workstations when stepping away. 6. Restrict physical access to systems where Ibexa back-office is accessed. 7. Consider additional application-level controls such as IP restrictions or device fingerprinting to limit session hijacking risks. 8. Conduct regular audits of user accounts and password changes to detect anomalies early.