CVE-2025-62644 – The RBI assistant platform's Global Store Direc... (How to Fix)

Q: What is the severity of CVE-2025-62644?

CVE-2025-62644 has a CVSS score of 5.0 (MEDIUM). The RBI assistant platform's Global Store Directory improperly shares personal information among authenticated users, allowing one authenticated user to access another user's personal data. This affects all users of RBI's restaurant platforms (Burger King, Popeyes, Tim Hortons) through September 6, 2025. The vulnerability exposes sensitive customer information to unauthorized internal access.

📋 TL;DR

The RBI assistant platform's Global Store Directory improperly shares personal information among authenticated users, allowing one authenticated user to access another user's personal data. This affects all users of RBI's restaurant platforms (Burger King, Popeyes, Tim Hortons) through September 6, 2025. The vulnerability exposes sensitive customer information to unauthorized internal access.

💻 Affected Systems

Products:

Restaurant Brands International (RBI) assistant platform

Versions: All versions through 2025-09-06

Operating Systems: Not OS-specific - web/cloud platform

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the Global Store Directory component that manages customer data across RBI restaurant brands including Burger King, Popeyes, and Tim Hortons.

📦 What is this software?

Restaurant Brands International Assistant by Rbi

View all CVEs affecting Restaurant Brands International Assistant →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Mass data breach where authenticated attackers can systematically harvest personal information of all customers across multiple restaurant chains, leading to identity theft, financial fraud, and regulatory penalties.

🟠

Likely Case

Unauthorized access to customer personal data by authenticated users, potentially exposing names, contact information, order history, and other sensitive details to internal actors or compromised accounts.

🟢

If Mitigated

Limited exposure of non-sensitive data with proper access controls and monitoring, where only minimal information is accessible and any unauthorized access is quickly detected and contained.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access to the platform. Attackers need valid credentials to exploit the improper access controls in the Global Store Directory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2025-09-06

Vendor Advisory: Not provided in references

Restart Required: No

Instructions:

1. Update RBI assistant platform to version after 2025-09-06. 2. Apply security patches provided by RBI. 3. Verify proper access controls are implemented in Global Store Directory.

🔧 Temporary Workarounds

Restrict Global Store Directory Access

all

Implement strict access controls to limit which authenticated users can access the Global Store Directory and what data they can view.

Implement Data Segmentation

all

Segment customer data by store or region to prevent cross-access between different authenticated users.

🧯 If You Can't Patch

Implement strict role-based access controls (RBAC) to limit Global Store Directory access to only necessary personnel
Enable detailed audit logging for all Global Store Directory access and monitor for unusual patterns

🔍 How to Verify

Check if Vulnerable:

Test if authenticated users can access personal information of other users through the Global Store Directory interface.

Check Version:

Check platform version in admin interface or contact RBI support for version verification

Verify Fix Applied:

Verify that authenticated users can only access their own data or authorized data in the Global Store Directory after patching.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to Global Store Directory
Multiple user data queries from single authenticated account
Access attempts to customer data outside normal scope

Network Indicators:

High volume of API calls to customer data endpoints
Unusual data transfer patterns from Global Store Directory

SIEM Query:

source="rbi_platform" AND (event="global_store_access" OR endpoint="/api/global-store/*") AND user!=customer_id

📊 Metadata

CVE ID: CVE-2025-62644

CVSS v3 Score: 5.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CWE: CWE-359

EPSS Score: 0.05% exploit probability (14.9th percentile)

Published: October 17, 2025

Last Updated: October 31, 2025

🔗 References

https://archive.today/fMYQp Exploit,Third Party Advisory
https://bobdahacker.com/blog/rbi-hacked-drive-thrus/ Permissions Required
https://web.archive.org/web/20250906134240/https:/bobdahacker.com/blog/rbi-hacked-drive-thrus Not Applicable
https://www.malwarebytes.com/blog/news/2025/09/popeyes-tim-hortons-burger-king-platforms-have-catastrophic-vulnerabilities-say-hackers Press/Media Coverage,Third Party Advisory
https://www.yahoo.com/news/articles/burger-king-hacked-attackers-impressed-124154038.html Press/Media Coverage,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62644, you might also want to check these: