CVE-2025-64065
📋 TL;DR
This vulnerability allows any authenticated low-privileged user in Primakon Pi Portal to impersonate any other user, including administrators, by exploiting broken authorization in the user impersonation feature. It affects organizations using Primakon Pi Portal 1.0.18 with the vulnerable API endpoint exposed. Attackers can gain administrative privileges without needing passwords or tokens.
💻 Affected Systems
- Primakon Pi Portal
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where attackers gain administrative control, access sensitive data, modify configurations, and potentially deploy ransomware or backdoors across the entire Primakon environment.
Likely Case
Privilege escalation leading to unauthorized access to sensitive user data, configuration changes, and potential lateral movement within the system.
If Mitigated
Limited impact if proper network segmentation, strong authentication, and monitoring are in place, though the vulnerability still presents significant risk.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via direct PATCH requests. The GitHub reference contains technical details that could facilitate weaponization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.primakon.com/rjesenja/primakon-pcm/
Restart Required: No
Instructions:
1. Check vendor advisory for updates. 2. Apply any available patches. 3. Verify the fix by testing the vulnerable endpoint. 4. Monitor for vendor communications about newer versions.
🔧 Temporary Workarounds
Block Vulnerable Endpoint
allTemporarily block access to the /api/V2/pp_udfv_admin endpoint at the network or application firewall level.
# Example for web server config (adjust for your environment):
# Apache: RewriteRule ^/api/V2/pp_udfv_admin - [F]
# Nginx: location ~ ^/api/V2/pp_udfv_admin { return 403; }
Implement API Gateway Controls
allAdd authorization checks at the API gateway to validate user privileges before allowing PATCH requests to the vulnerable endpoint.
# Implementation depends on your API gateway (e.g., Kong, AWS API Gateway)
# Configure policies to verify admin privileges for /api/V2/pp_udfv_admin PATCH requests
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Primakon Pi Portal from critical systems and limit access to authenticated users only.
- Deploy web application firewall (WAF) rules to detect and block suspicious PATCH requests to the vulnerable endpoint, and enhance logging and monitoring for impersonation attempts.
🔍 How to Verify
Check if Vulnerable:
Test if an authenticated low-privileged user can send a PATCH request to /api/V2/pp_udfv_admin with another user's email to impersonate them. Use tools like curl: curl -X PATCH -H 'Authorization: Bearer <token>' -d '{"email":"admin@example.com"}' https://target/api/V2/pp_udfv_adminCheck Version:
Check the Primakon Pi Portal version in the application interface or configuration files; the vulnerable version is 1.0.18.Verify Fix Applied:
After applying fixes, repeat the test to ensure the PATCH request fails with proper authorization errors (e.g., 403 Forbidden) and cannot impersonate users.📡 Detection & Monitoring
Log Indicators:
- Unusual PATCH requests to /api/V2/pp_udfv_admin from non-admin users
- Multiple login events from different IPs for the same user account in short timeframes
- Administrative actions performed by users without admin roles
Network Indicators:
- Spike in PATCH requests to the vulnerable endpoint
- Traffic patterns indicating privilege escalation attempts
SIEM Query:
source="primakon_logs" AND (url_path="/api/V2/pp_udfv_admin" AND http_method="PATCH") AND user_role!="admin"