CVE-2025-7717 is a high-severity vulnerability classified under CWE-862 (Missing Authorization) affecting the Drupal File Download module versions prior to 1.9.0 and between 2.0.0 and before 2.0.1. The vulnerability allows an attacker to perform forceful browsing, meaning unauthorized users can access and download files without proper authorization checks. The flaw stems from the module's failure to enforce access control on file download requests, allowing remote attackers to bypass authentication and authorization mechanisms. According to the CVSS 3.1 vector (7.5), the attack vector is network-based (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), with a scope unchanged (S:U). The impact is high on confidentiality (C:H), but no impact on integrity (I:N) or availability (A:N). This means sensitive files intended to be restricted could be exposed to unauthorized parties, potentially leaking confidential or sensitive information. The vulnerability affects Drupal sites using the vulnerable File Download module versions, which are commonly used to manage file access and downloads within Drupal content management systems. No known exploits are currently reported in the wild, but the ease of exploitation and lack of required privileges make this a significant risk if left unpatched.

For European organizations, this vulnerability poses a substantial risk to data confidentiality, especially for entities relying on Drupal CMS for managing sensitive documents, such as government agencies, healthcare providers, financial institutions, and enterprises handling personal data under GDPR. Unauthorized file access can lead to exposure of personal data, intellectual property, or confidential business information, potentially resulting in regulatory penalties, reputational damage, and loss of customer trust. Given the strict data protection regulations in Europe, any unauthorized data disclosure could trigger significant compliance issues. Additionally, organizations with public-facing Drupal sites that use the vulnerable File Download module are at risk of data leakage without any indication of compromise, as the attack does not disrupt service or modify data.

European organizations should immediately audit their Drupal installations to identify the use of the File Download module and verify the version in use. Upgrading the module to version 1.9.0 or later, or 2.0.1 or later, where the authorization checks have been properly implemented, is the primary mitigation step. If immediate upgrade is not feasible, organizations should implement compensating controls such as restricting access to the Drupal file download endpoints via web application firewalls (WAFs) or network-level access controls to trusted IP ranges only. Additionally, review and tighten Drupal user permissions to minimize exposure, and monitor web server logs for unusual file access patterns indicative of forceful browsing attempts. Regularly applying security patches and subscribing to Drupal security advisories will help prevent exploitation of similar vulnerabilities in the future.