CVE-2025-8117 is a vulnerability classified under CWE-909 (Missing Initialization of Resource) found in the Polska Akademia Dostępności (PAD) CMS, a content management system used primarily in Poland. The flaw stems from improper initialization of a parameter involved in the password recovery mechanism across all three templates (www, bip, and www+bip). This improper initialization allows an attacker to bypass normal password reset procedures and change the password of any user account that has not previously initiated a password reset. The vulnerability is remotely exploitable without requiring authentication or user interaction, making it highly accessible to threat actors. The CVSS 4.0 base score is 8.7, reflecting its critical impact on confidentiality and integrity, with no impact on availability. The PAD CMS product is end-of-life, and the vendor has explicitly stated no patches will be released, leaving users exposed. This vulnerability could be leveraged to gain unauthorized access to administrative or user accounts, potentially leading to data breaches, defacement, or further compromise of connected systems. The lack of known exploits in the wild currently provides a small window for mitigation, but the risk remains significant due to the ease of exploitation and absence of vendor support.

For European organizations, especially those in Poland and countries with public sector entities or institutions using PAD CMS, this vulnerability poses a significant risk. Unauthorized password changes can lead to account takeovers, exposing sensitive personal data, internal communications, or administrative controls. This can result in data breaches, loss of trust, regulatory penalties under GDPR, and disruption of services. Since the CMS is used in government and public administration contexts (implied by the bip template, commonly used for public information in Poland), the impact on public sector organizations could be severe, affecting citizen services and critical information dissemination. The inability to patch the product increases the risk of long-term exploitation and persistent threats. Attackers could leverage this vulnerability to establish footholds, escalate privileges, or conduct further attacks within organizational networks.

Given the end-of-life status of PAD CMS and absence of patches, affected organizations should prioritize migrating to a supported and secure CMS platform. In the interim, organizations should implement strict network segmentation to isolate the CMS from critical internal systems and restrict access to the CMS administration interfaces via IP whitelisting or VPN. Employ multi-factor authentication (MFA) on all administrative accounts to reduce the risk of unauthorized access. Monitor logs for unusual password change activities and implement alerting for suspicious account modifications. Conduct regular security audits and vulnerability assessments to identify any exploitation attempts. If migration is not immediately feasible, consider deploying web application firewalls (WAFs) with custom rules to detect and block exploitation attempts targeting the password recovery functionality. Educate users and administrators about the risks and signs of compromise related to this vulnerability.