CVE-2025-7899 is a security vulnerability identified in the powermail extension for the TYPO3 content management system, specifically affecting versions 12.0.0 through 12.5.2 and version 13.0.0. The vulnerability is classified under CWE-639, which corresponds to Authorization Bypass Through User-Controlled Key. This means that the extension improperly restricts access to certain resources, allowing an attacker to bypass authorization controls by manipulating user-controlled input parameters. In this case, the flaw manifests as an Insecure Direct Object Reference (IDOR) vulnerability, enabling an attacker to download arbitrary files from the webserver hosting the TYPO3 instance. The vulnerability has a CVSS 4.0 base score of 6.0, indicating a medium severity level. The vector details specify that the attack can be performed remotely over the network (AV:N) with low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N). The vulnerability impacts confidentiality (VC:H) but not integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The flaw arises because the powermail extension does not adequately validate or restrict access to files requested via user-controlled keys, allowing unauthorized file retrieval from the server. This can lead to exposure of sensitive information stored on the server, including configuration files, source code, or other protected data. TYPO3 is a widely used CMS in Europe, especially among public sector and enterprise websites, making this vulnerability a significant concern for organizations relying on powermail for form handling and data collection.

For European organizations, the impact of CVE-2025-7899 can be substantial. Unauthorized file downloads can lead to exposure of sensitive corporate or personal data, intellectual property, and internal configuration details. This can facilitate further attacks such as privilege escalation, lateral movement, or targeted phishing campaigns. Public sector entities using TYPO3 may face risks of data breaches affecting citizen data, potentially violating GDPR regulations and resulting in legal and financial penalties. Enterprises relying on powermail for customer data collection may suffer reputational damage and loss of customer trust if sensitive information is leaked. The medium severity rating reflects that while exploitation requires some level of privilege, the vulnerability can be exploited remotely without user interaction, increasing the risk profile. The lack of known exploits in the wild currently provides a window for proactive mitigation, but the widespread use of TYPO3 in Europe means that many organizations could be targeted once exploit code becomes available.

European organizations should immediately audit their TYPO3 installations to identify if the powermail extension versions 12.0.0 through 12.5.2 or 13.0.0 are in use. Until an official patch is released, organizations should consider the following mitigations: 1) Restrict access to the powermail extension endpoints via web application firewalls (WAF) or network-level controls to trusted IP addresses only. 2) Implement strict file access controls on the webserver to prevent unauthorized file reads, including disabling directory listing and ensuring sensitive files are outside the webroot. 3) Monitor webserver logs for unusual file download requests or patterns indicative of exploitation attempts. 4) Employ runtime application self-protection (RASP) tools that can detect and block IDOR exploitation attempts. 5) Engage with TYPO3 community and vendors for timely patch releases and apply updates as soon as they become available. 6) Conduct internal penetration testing focusing on powermail endpoints to identify and remediate any additional access control weaknesses. These targeted measures go beyond generic advice by focusing on access restrictions, monitoring, and proactive detection specific to the nature of this vulnerability.