CVE-2025-9549 is a missing authorization vulnerability classified under CWE-862 found in the Drupal Facets module, which is used to create faceted search interfaces on Drupal websites. The vulnerability affects Facets versions prior to 2.0.10 and 3.0.1. It allows unauthenticated attackers to bypass authorization controls and perform forceful browsing, meaning they can access facet data or functionality that should be restricted. This can lead to unauthorized disclosure of sensitive information or manipulation of facet filters, potentially undermining data confidentiality and integrity. The CVSS v3.1 base score is 6.5, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts on confidentiality and integrity but not availability. The vulnerability was reserved in August 2025 and published in October 2025, with no known exploits in the wild at the time of reporting. The Facets module is widely used in Drupal-powered websites, including those of governments, educational institutions, and media organizations, which often handle sensitive or regulated data. Exploitation does not require authentication or user interaction, increasing the risk of automated or opportunistic attacks. The absence of patch links suggests that affected organizations must rely on official Drupal updates or advisories to remediate the issue. Overall, this vulnerability represents a moderate risk that could lead to unauthorized data exposure if left unpatched.

For European organizations, the impact of CVE-2025-9549 can be significant, especially for those operating Drupal-based websites with faceted search features. Unauthorized access to facet data could expose sensitive or regulated information, potentially violating GDPR and other data protection regulations. This could lead to reputational damage, regulatory fines, and loss of user trust. The integrity of search results and filtering mechanisms may also be compromised, affecting user experience and data reliability. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely and at scale, increasing the likelihood of data leakage. Sectors such as government, education, media, and e-commerce in Europe that rely on Drupal Facets are particularly vulnerable. The medium CVSS score reflects moderate confidentiality and integrity impacts but no direct availability disruption, meaning service continuity is unlikely to be affected. However, the breach of access controls can have cascading effects on compliance and operational security.

European organizations should immediately verify their Drupal Facets module version and upgrade to 2.0.10 or 3.0.1 or later, where the vulnerability is fixed. If immediate patching is not feasible, implement web application firewall (WAF) rules to detect and block forceful browsing attempts targeting facet endpoints. Conduct a thorough audit of facet access controls and ensure that authorization checks are enforced consistently across all facet-related functionalities. Monitor web server and application logs for unusual access patterns indicative of unauthorized browsing or data scraping. Limit exposure of facet data by restricting access to authenticated users where possible and applying the principle of least privilege. Engage with Drupal security advisories and community channels to stay informed about patches and exploit developments. Additionally, perform regular security assessments and penetration tests focusing on authorization mechanisms within Drupal modules. Document and review incident response plans to address potential data exposure incidents swiftly.