CVE-2025-70363 is a security vulnerability identified in the REST API of Ibexa & Ciril GROUP eZ Platform / Ciril Platform 2.x. The flaw arises from incorrect access control mechanisms within the API, allowing unauthenticated attackers to enumerate object IDs and access sensitive data without proper authorization. This vulnerability stems from insufficient validation of user permissions when accessing objects via the REST API endpoints. Attackers can exploit this by systematically querying object IDs to retrieve confidential information that should otherwise be protected. The vulnerability affects the 2.x versions of the platform, which are commonly deployed for content management and digital experience solutions. There is no CVSS score assigned yet, and no public exploits have been reported, but the nature of the flaw suggests it can be exploited remotely without authentication or user interaction. The lack of authentication requirement and the ability to enumerate object IDs make this vulnerability particularly dangerous, as it can lead to unauthorized data disclosure. The vulnerability was reserved in January 2026 and published in March 2026, indicating recent discovery. No official patches or mitigation details have been published yet, increasing the urgency for organizations to implement interim protective measures. The platforms affected are used globally, especially in enterprise environments, making this a significant concern for data confidentiality and compliance.

The primary impact of CVE-2025-70363 is unauthorized disclosure of sensitive data due to improper access control in the REST API. Organizations using the affected platforms risk exposure of confidential business information, customer data, or intellectual property. This can lead to reputational damage, regulatory penalties (especially under data protection laws like GDPR), and potential competitive disadvantage. Since the vulnerability allows unauthenticated access, attackers do not need valid credentials, increasing the attack surface and likelihood of exploitation. The ability to enumerate object IDs means attackers can systematically extract large volumes of data. Although no known exploits are currently reported, the vulnerability's characteristics make it a high-value target for threat actors seeking data breaches. The scope of affected systems includes any deployment of Ibexa or Ciril GROUP eZ Platform 2.x, which are used worldwide in various industries including media, government, and enterprise content management. The availability and integrity of systems are less directly impacted, but the confidentiality breach alone is significant.

1. Immediately restrict access to the REST API endpoints to trusted IP addresses or networks using firewall rules or API gateways to limit exposure. 2. Implement strong authentication and authorization checks at the API level, ensuring that all requests are properly validated for user permissions before returning data. 3. Monitor API logs for unusual patterns such as rapid enumeration of object IDs or repeated unauthenticated access attempts, and trigger alerts for suspicious activity. 4. Engage with the vendor (Ibexa / Ciril GROUP) to obtain official patches or updates addressing this vulnerability as soon as they are released. 5. If patching is not immediately possible, consider disabling or limiting the REST API functionality that exposes object enumeration until a fix is applied. 6. Conduct a thorough audit of data exposed via the API to assess potential data leakage and notify affected stakeholders if necessary. 7. Educate development and security teams about secure API design principles to prevent similar access control issues in future deployments. 8. Employ Web Application Firewalls (WAFs) with custom rules to detect and block enumeration patterns targeting the API.