CVE-2025-70363 is a vulnerability classified under CWE-284 (Improper Access Control) affecting the REST API of Ibexa & Ciril GROUP eZ Platform / Ciril Platform 2.x. The flaw allows unauthenticated attackers to enumerate object IDs via the API and retrieve sensitive data that should be protected. This occurs due to insufficient access control checks on API endpoints, permitting unauthorized data exposure. The vulnerability has a CVSS v3.1 base score of 7.5, indicating high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts confidentiality (C:H) but not integrity or availability. The scope remains unchanged (S:U), meaning the vulnerability affects only the vulnerable component. The lack of authentication and user interaction requirements makes this vulnerability particularly dangerous, as attackers can remotely access sensitive information without any credentials. Although no patches or known exploits are currently available, the vulnerability poses a significant risk to organizations relying on these platforms for content management or digital experience management.

The primary impact of CVE-2025-70363 is unauthorized disclosure of sensitive data, which can lead to information leakage, privacy violations, and potential compliance breaches. Organizations using the affected platforms may have confidential business data, user information, or intellectual property exposed to attackers. This can result in reputational damage, legal consequences, and loss of customer trust. Since the vulnerability does not affect data integrity or system availability, it does not directly enable data modification or denial of service. However, the ease of exploitation without authentication increases the risk of widespread data exposure. Attackers could leverage the exposed data for further attacks such as phishing, social engineering, or targeted intrusions. The absence of known exploits in the wild currently limits immediate impact but does not reduce the urgency for remediation given the vulnerability's characteristics.

To mitigate CVE-2025-70363, organizations should immediately audit and strengthen access control mechanisms on the REST API endpoints of Ibexa & Ciril GROUP eZ Platform / Ciril Platform 2.x. Specific recommendations include: 1) Implement strict authentication and authorization checks on all API calls, ensuring that only authorized users can access sensitive data. 2) Employ rate limiting and monitoring on API endpoints to detect and prevent enumeration attempts. 3) Review and restrict object ID exposure, using opaque or randomized identifiers instead of sequential or guessable IDs. 4) Apply the principle of least privilege to API access, limiting data exposure to only what is necessary. 5) Monitor vendor advisories for patches or updates addressing this vulnerability and apply them promptly once available. 6) Conduct penetration testing focused on API security to identify similar access control weaknesses. 7) Educate development and security teams about secure API design and access control best practices to prevent recurrence.