CVE-2025-40645
📋 TL;DR
This vulnerability allows unauthenticated attackers to retrieve sensitive customer information from Viday systems by making HTTP GET requests to a specific API endpoint. Any Viday installation with the vulnerable endpoint exposed is affected, potentially exposing customer data like phone numbers and associated reservation details.
💻 Affected Systems
- Viday
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Mass extraction of customer PII including phone numbers, names, and reservation details leading to privacy violations, identity theft, and regulatory compliance failures.
Likely Case
Targeted information gathering about specific customers using phone numbers, enabling social engineering attacks or harassment.
If Mitigated
Limited exposure with proper authentication and access controls preventing unauthorized API access.
🎯 Exploit Status
Simple HTTP GET request with phone parameter required
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-viday
Restart Required: No
Instructions:
1. Monitor vendor for patch release
2. Apply patch when available
3. Test in non-production environment first
🔧 Temporary Workarounds
Block Unauthenticated API Access
allImplement authentication requirement for /api/reserva/web/clients endpoint
# Web server configuration depends on platform
# Example for nginx: location /api/reserva/web/clients { auth_basic "Restricted"; }
Network Access Control
linuxRestrict access to API endpoint using firewall rules
# Example iptables: iptables -A INPUT -p tcp --dport 80 -m string --string "/api/reserva/web/clients" --algo bm -j DROP
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests to vulnerable endpoint
- Monitor and alert on suspicious access patterns to the API endpoint
🔍 How to Verify
Check if Vulnerable:
Send HTTP GET request to http://[target]/api/reserva/web/clients?phone=[number] and check if customer data is returned without authenticationCheck Version:
Check Viday documentation or admin interface for version informationVerify Fix Applied:
Attempt same request after remediation - should receive authentication error or no data📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to GET /api/reserva/web/clients without authentication
- High volume of requests to API endpoint from single IP
Network Indicators:
- Unusual traffic patterns to API endpoint
- Requests with phone parameter from unauthorized sources
SIEM Query:
source="web_server" AND (uri="/api/reserva/web/clients" AND NOT auth_success="true")