CVE-2025-9559 is a medium severity vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting Pegasystems Pega Infinity platform versions from 8.7.5 up to 24.2.2. The flaw exists in a user interface component designed solely for data reading, where the application fails to properly validate or restrict access to objects referenced via user-controlled keys. This Insecure Direct Object Reference (IDOR) allows an attacker with some level of privileges (PR:L) to bypass authorization controls and access sensitive data that should be restricted. The vulnerability does not require user interaction (UI:N) and can be exploited remotely (AV:N) with low attack complexity (AC:L). The impact is primarily on confidentiality (C:H), with no direct effect on integrity or availability. Although no public exploits are currently known, the vulnerability could be leveraged by insiders or attackers who have gained limited access to the system to escalate data access privileges. The lack of patches or official fixes at the time of publication necessitates immediate attention to access control policies and monitoring. The vulnerability highlights the importance of robust authorization checks and secure handling of user-supplied keys in enterprise software components.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive business or customer data managed within Pega Infinity platforms. Given Pega Infinity’s widespread use in sectors such as finance, insurance, telecommunications, and public services across Europe, unauthorized data access could result in regulatory non-compliance (e.g., GDPR violations), reputational damage, and potential financial losses. The breach of confidentiality could expose personally identifiable information (PII) or intellectual property, increasing the risk of further targeted attacks or fraud. Since the vulnerability requires some level of privilege, insider threats or compromised accounts pose a significant risk vector. The absence of impact on integrity and availability reduces the risk of data manipulation or service disruption but does not diminish the severity of data leakage. Organizations relying on Pega Infinity for critical workflows must consider the potential cascading effects on business operations and customer trust.

1. Implement strict access control mechanisms ensuring that user-controlled keys cannot be used to access unauthorized data objects. 2. Conduct thorough input validation and enforce server-side authorization checks on all user-supplied parameters related to object references. 3. Monitor and audit access logs for unusual or unauthorized data access patterns, especially from accounts with limited privileges. 4. Apply the latest patches and updates from Pegasystems as soon as they become available. 5. Employ role-based access control (RBAC) and least privilege principles to minimize the number of users with elevated access. 6. Use web application firewalls (WAFs) to detect and block suspicious requests targeting the vulnerable UI components. 7. Educate internal users about the risks of credential compromise and enforce multi-factor authentication (MFA) to reduce the likelihood of privilege escalation. 8. Perform regular security assessments and penetration testing focused on authorization mechanisms within Pega Infinity deployments.