CVE-2025-62647
📋 TL;DR
The Restaurant Brands International assistant platform allows attackers to obtain a JWT token that can generate signed AWS upload URLs for any store's path. This enables unauthorized file uploads to AWS storage buckets. Affects RBI's restaurant platforms including Burger King, Tim Hortons, and Popeyes.
💻 Affected Systems
- Restaurant Brands International assistant platform
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could upload malicious files to AWS storage, potentially serving malware to customers, defacing websites, or exfiltrating sensitive data from compromised storage buckets.
Likely Case
Unauthorized file uploads leading to data integrity issues, potential malware distribution through restaurant platforms, or storage cost abuse through unauthorized uploads.
If Mitigated
Limited impact if proper AWS bucket policies, file validation, and access controls are implemented to restrict uploads.
🎯 Exploit Status
Exploitation requires obtaining a valid JWT token and understanding the API structure. No public exploit code available but technical details are documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2025-09-06
Vendor Advisory: Not publicly available
Restart Required: No
Instructions:
1. Update to the latest version of the RBI assistant platform. 2. Implement proper authorization checks for AWS upload URL generation. 3. Review and harden AWS S3 bucket policies.
🔧 Temporary Workarounds
Implement AWS S3 bucket restrictions
allConfigure AWS S3 bucket policies to restrict uploads to authorized sources only and implement file validation.
🧯 If You Can't Patch
- Implement strict AWS IAM policies limiting upload permissions
- Deploy WAF rules to block unauthorized API calls to the upload endpoint
🔍 How to Verify
Check if Vulnerable:
Test if the API endpoint returns AWS upload URLs without proper store authorization checks. Review platform version against affected range.Check Version:
Check platform version through admin interface or configuration filesVerify Fix Applied:
Verify that AWS upload URL generation now requires proper store authorization and returns appropriate errors for unauthorized requests.📡 Detection & Monitoring
Log Indicators:
- Unusual AWS S3 upload activity from unexpected sources
- Multiple failed authorization attempts to upload API
- JWT token generation spikes
Network Indicators:
- Unusual API calls to AWS upload endpoint
- Traffic patterns showing file uploads from unauthorized IPs
SIEM Query:
source="aws:s3" AND (eventName="PutObject" OR eventName="CompleteMultipartUpload") AND errorCode IS NULL AND userIdentity.arn NOT IN [authorized_arns]🔗 References
- https://archive.today/fMYQp
- https://bobdahacker.com/blog/rbi-hacked-drive-thrus/
- https://web.archive.org/web/20250906134240/https:/bobdahacker.com/blog/rbi-hacked-drive-thrus
- https://www.malwarebytes.com/blog/news/2025/09/popeyes-tim-hortons-burger-king-platforms-have-catastrophic-vulnerabilities-say-hackers
- https://www.yahoo.com/news/articles/burger-king-hacked-attackers-impressed-124154038.html
