CVE-2025-68542 identifies a Missing Authorization vulnerability in the Checkout Gateway for IRIS product developed by vgdevsolutions, affecting versions up to 1.3. The vulnerability stems from improperly configured access control mechanisms within the checkout-gateway-iris software, which fails to enforce correct authorization checks before allowing certain operations. This misconfiguration can enable attackers to bypass intended security restrictions, potentially granting unauthorized access to sensitive payment processing functions or data. Although no exploits have been reported in the wild, the nature of the vulnerability suggests that an attacker with network access to the gateway could manipulate requests to perform unauthorized actions. The absence of a CVSS score indicates that the vulnerability has not yet been fully assessed for severity, but the impact on confidentiality and integrity of payment transactions is significant. The vulnerability affects organizations using this specific payment gateway, which is likely deployed in e-commerce environments requiring secure transaction processing. The issue was reserved in December 2025 and published in February 2026, indicating recent discovery and disclosure. No official patches or mitigations have been linked yet, emphasizing the need for immediate attention by affected parties.

The Missing Authorization vulnerability in Checkout Gateway for IRIS can lead to unauthorized access to payment processing functions, potentially allowing attackers to manipulate transactions, access sensitive customer payment data, or disrupt payment workflows. This compromises the confidentiality and integrity of financial data and could result in financial losses, reputational damage, and regulatory penalties for affected organizations. The availability of the payment gateway could also be indirectly impacted if attackers exploit the flaw to cause operational disruptions. Given that payment gateways are critical infrastructure in e-commerce, exploitation could have cascading effects on business operations and customer trust. The lack of authentication or authorization enforcement increases the ease of exploitation, especially if the gateway is exposed to untrusted networks. Organizations worldwide that rely on this product for processing payments are at risk, particularly those with high transaction volumes or stringent compliance requirements.

Organizations using Checkout Gateway for IRIS should immediately audit their access control configurations to ensure that authorization checks are correctly implemented and enforced. Network segmentation should be applied to restrict access to the gateway only to trusted systems and users. Monitoring and logging of gateway access should be enhanced to detect anomalous or unauthorized activities promptly. Until an official patch is released by vgdevsolutions, consider implementing compensating controls such as web application firewalls (WAFs) with custom rules to block suspicious requests targeting authorization bypass attempts. Engage with the vendor for updates on patches or security advisories. Conduct penetration testing focused on access control to identify and remediate any additional weaknesses. Finally, ensure that all related systems and dependencies are kept up to date to reduce the attack surface.