CVE-2025-64061
📋 TL;DR
Primakon Pi Portal 1.0.18's /api/v2/users endpoint lacks proper access controls, allowing any authenticated user to retrieve a complete list of all registered users including their password hashes. This affects all organizations using the vulnerable version of Primakon Pi Portal, exposing sensitive user data to unauthorized internal users.
💻 Affected Systems
- Primakon Pi Portal
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain password hashes for all users, potentially enabling credential cracking, lateral movement, and complete system compromise through password reuse or hash cracking attacks.
Likely Case
Internal users with legitimate low-privilege accounts access sensitive user information including password hashes, potentially leading to credential theft and privilege escalation within the organization.
If Mitigated
With proper access controls, only authorized administrators can access user lists, preventing unauthorized data exposure and limiting attack surface.
🎯 Exploit Status
Exploitation requires only a valid low-privilege account and a simple GET request to /api/v2/users endpoint. The vulnerability is documented in public repositories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for patched version
Vendor Advisory: https://www.primakon.com/rjesenja/primakon-pcm/
Restart Required: Yes
Instructions:
1. Check vendor advisory for patched version
2. Download and install the patched version from Primakon
3. Restart the Pi Portal service
4. Verify the fix by testing access controls
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to the Pi Portal API endpoint to authorized administrators only
# Example firewall rule (adjust for your environment)
iptables -A INPUT -p tcp --dport [PORT] -s [ADMIN_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [PORT] -j DROP
API Endpoint Disablement
allTemporarily disable or restrict the vulnerable /api/v2/users endpoint
# Modify web server configuration to block access
# Example for nginx:
location /api/v2/users {
deny all;
return 403;
}
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the Pi Portal from non-administrative users
- Deploy a web application firewall (WAF) with rules to block unauthorized access to the /api/v2/users endpoint
🔍 How to Verify
Check if Vulnerable:
Authenticate with a low-privilege account and send GET request to /api/v2/users endpoint. If it returns user data including password hashes, the system is vulnerable.Check Version:
Check the Pi Portal administration interface or configuration files for version informationVerify Fix Applied:
After patching, attempt the same GET request with a low-privilege account. It should return an access denied error or empty response.📡 Detection & Monitoring
Log Indicators:
- Multiple GET requests to /api/v2/users from non-administrative accounts
- Unusual access patterns to user management endpoints
Network Indicators:
- GET requests to /api/v2/users from unauthorized IP addresses
- Large data transfers from the Pi Portal API
SIEM Query:
source="pi-portal-logs" AND uri="/api/v2/users" AND user_role!="admin"