CVE-2025-67719 is a vulnerability classified under CWE-620 (Unverified Password Change) affecting Ibexa's Digital Experience Platform (DXP) user management component. Specifically, versions from 5.0.0-beta1 up to but not including 5.0.4 contain a logic error introduced during the transition from version 4 to 5, which disables the validation of the current password when a user attempts to change their password in the back office interface. This flaw means that any authenticated user can change their own password without knowing the existing password, effectively bypassing a critical security control. The vulnerability arises because the password validation routine fails to execute as intended, allowing password changes without verification. Exploitation requires the attacker to have access to an active user session, which could occur if a user leaves their workstation unlocked or if session hijacking is possible. The impact includes potential account lockout of legitimate users and unauthorized account control, threatening confidentiality and availability. The vulnerability has a CVSS 4.0 score of 8.5 (high severity), reflecting its serious impact and relatively low attack complexity, though it requires local access to an authenticated session. The issue is resolved in Ibexa version 5.0.4, which restores proper password validation. No public exploits have been reported to date.

For European organizations using Ibexa DXP versions 5.0.0-beta1 through 5.0.3, this vulnerability poses a significant risk to user account security and operational continuity. Attackers with access to an unattended or hijacked session can change passwords without knowing the original credentials, potentially locking out legitimate users and disrupting business processes reliant on the platform. This can lead to denial of service for affected accounts and may facilitate further unauthorized access if attackers leverage the compromised accounts. Confidentiality is at risk as attackers gain control over user identities, and availability is impacted by account lockouts. Given that Ibexa is used in digital experience and content management scenarios, exploitation could affect customer-facing services, internal workflows, and sensitive data management. The vulnerability's requirement for an active session limits remote exploitation but elevates risk in environments with weak session management or physical security. The lack of known exploits suggests limited current threat activity, but the high severity score warrants urgent remediation to prevent potential abuse.

European organizations should immediately upgrade Ibexa DXP installations to version 5.0.4 or later, where the password validation issue is fixed. Until patching is complete, organizations should enforce strict session management policies, including automatic session timeouts, screen locking on inactivity, and user training to prevent leaving sessions unattended. Implementing multi-factor authentication (MFA) can reduce the risk of session hijacking. Monitoring and alerting on unusual password change activities can help detect exploitation attempts. Network segmentation and access controls should limit who can reach the back office interface. Additionally, organizations should review audit logs for suspicious password changes and consider temporary restrictions on password changes for sensitive accounts. Regular vulnerability scanning and penetration testing focused on session management and authentication controls will help identify residual risks. Finally, ensure that all users are informed about the importance of locking their workstations when away to mitigate local exploitation vectors.