CVE-2025-62645
📋 TL;DR
This vulnerability allows remote authenticated attackers to obtain administrative tokens via a GraphQL mutation in the Restaurant Brands International assistant platform. Attackers can gain full platform control, affecting Burger King, Tim Hortons, and Popeyes systems. Any organization using the vulnerable RBI assistant platform is affected.
💻 Affected Systems
- Restaurant Brands International assistant platform
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete platform takeover allowing attackers to manipulate drive-thru systems, access customer data, disrupt operations, and potentially compromise payment systems across thousands of locations.
Likely Case
Attackers gain administrative access to manipulate orders, access customer information, disrupt restaurant operations, and potentially deploy ransomware or other malware.
If Mitigated
With proper network segmentation and monitoring, impact could be limited to isolated systems, but administrative access still poses significant risk.
🎯 Exploit Status
Exploit requires authenticated access but is simple to execute via GraphQL mutation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2025-09-06
Vendor Advisory: Not provided in references
Restart Required: No
Instructions:
1. Contact RBI for updated platform version. 2. Apply security patch. 3. Test in staging environment. 4. Deploy to production. 5. Rotate all administrative tokens.
🔧 Temporary Workarounds
Disable createToken mutation
allTemporarily disable the vulnerable GraphQL mutation endpoint
Specific commands depend on platform implementation
Implement GraphQL query validation
allAdd strict validation for GraphQL mutations to prevent privilege escalation
Implementation varies by platform
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the assistant platform
- Enable detailed logging and monitoring for all GraphQL mutations and token creation events
🔍 How to Verify
Check if Vulnerable:
Test if authenticated users can create administrative tokens via GraphQL createToken mutationCheck Version:
Check platform version against RBI documentation or contact vendorVerify Fix Applied:
Verify that createToken mutation no longer allows privilege escalation and test with non-admin credentials📡 Detection & Monitoring
Log Indicators:
- Unusual token creation events
- GraphQL createToken mutations from non-admin users
- Multiple administrative token requests
Network Indicators:
- GraphQL requests to createToken endpoint
- Unusual authentication patterns
SIEM Query:
source="graphql_logs" AND mutation="createToken" AND user_role!="admin"🔗 References
- https://archive.today/fMYQp
- https://bobdahacker.com/blog/rbi-hacked-drive-thrus/
- https://web.archive.org/web/20250906134240/https:/bobdahacker.com/blog/rbi-hacked-drive-thrus
- https://www.malwarebytes.com/blog/news/2025/09/popeyes-tim-hortons-burger-king-platforms-have-catastrophic-vulnerabilities-say-hackers
- https://www.yahoo.com/news/articles/burger-king-hacked-attackers-impressed-124154038.html
