CVE-2025-64066 – Primakon Pi Portal 1.0.18 has a broken access c... (How to Fix)

Q: What is the severity of CVE-2025-64066?

CVE-2025-64066 has a CVSS score of 8.6 (HIGH). Primakon Pi Portal 1.0.18 has a broken access control vulnerability in its user registration endpoint that allows unauthenticated attackers to create new user accounts in the local database. This bypasses the intended security model which relies on external identity providers for registration. All organizations using the vulnerable version are affected.

📋 TL;DR

Primakon Pi Portal 1.0.18 has a broken access control vulnerability in its user registration endpoint that allows unauthenticated attackers to create new user accounts in the local database. This bypasses the intended security model which relies on external identity providers for registration. All organizations using the vulnerable version are affected.

💻 Affected Systems

Products:

Primakon Pi Portal

Versions: 1.0.18

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration. The application assumes external identity provider handles registration, but local endpoint remains accessible.

📦 What is this software?

Project Contract Management by Primakon

View all CVEs affecting Project Contract Management →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers create administrative accounts, chain with other vulnerabilities for privilege escalation, and achieve complete compromise of the application and underlying systems.

🟠

Likely Case

Attackers create unauthorized user accounts, enumerate existing users for reconnaissance, and potentially gain initial access for further attacks.

🟢

If Mitigated

Proper authorization controls prevent unauthorized registration, limiting impact to reconnaissance via user enumeration attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP POST request to /api/v2/user/register endpoint with user data. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.primakon.com/rjesenja/primakon-pcm/

Restart Required: No

Instructions:

1. Monitor vendor advisory for patch release. 2. Apply patch when available. 3. Test in non-production environment first.

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block or restrict access to /api/v2/user/register endpoint

WAF-specific configuration required

Network Access Control

linux

Restrict network access to the vulnerable endpoint using firewall rules

iptables -A INPUT -p tcp --dport [PORT] -m string --string "/api/v2/user/register" --algo bm -j DROP

🧯 If You Can't Patch

Implement strong network segmentation to isolate the vulnerable system
Deploy intrusion detection systems to monitor for registration attempts

🔍 How to Verify

Check if Vulnerable:

Send POST request to https://[target]/api/v2/user/register with user data and check if account is created without authentication

Check Version:

Check application version in web interface or configuration files

Verify Fix Applied:

Attempt same POST request after remediation - should receive 401/403 error or redirect to authentication

📡 Detection & Monitoring

Log Indicators:

POST requests to /api/v2/user/register from unauthenticated sources
Unusual user account creation events

Network Indicators:

HTTP POST to registration endpoint without authentication headers
Multiple registration attempts from single IP

SIEM Query:

source="web_logs" AND uri_path="/api/v2/user/register" AND http_method="POST" AND NOT auth_token=*

📊 Metadata

CVE ID: CVE-2025-64066

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

CWE: CWE-284

EPSS Score: 0.15% exploit probability (35.9th percentile)

Published: November 25, 2025

Last Updated: December 1, 2025

🔗 References

https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64066.md Third Party Advisory
https://www.primakon.com/rjesenja/primakon-pcm/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64066, you might also want to check these: