CVE-2025-62644
BaseFortify
Publication date: 2025-10-17
Last updated on: 2025-10-31
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rbi | restaurant_brands_international_assistant | to 2025-09-06 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-359 | The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling user signups on the affected platforms to prevent unauthorized account creation, enforcing email verification for new accounts, and securing authentication endpoints to avoid bypasses. Additionally, reviewing and correcting AWS Cognito configurations to ensure proper access control and password handling is critical. Since RBI fixed the vulnerabilities on the same day they were reported, applying similar patches or updates from RBI is recommended. [2]
Can you explain this vulnerability to me?
The vulnerability in the Restaurant Brands International (RBI) assistant platform involves a Global Store Directory that improperly shares personal information among authenticated users. Additionally, critical security flaws were found in RBI's platforms, allowing attackers to access sensitive data such as voice recordings containing personally identifiable information, manage franchise stores, view and edit employee accounts, and exploit misconfigurations in AWS Cognito that allowed unauthorized account creation and password exposure. [2]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to personal and sensitive information, including voice recordings with personal data, employee accounts, and store analytics. Attackers could manipulate franchise store data, upload malicious files, and send unauthorized notifications, potentially causing privacy breaches, operational disruptions, and reputational damage. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for unauthorized access or account creation on RBI platforms, especially those hosted on bk.com, popeyes.com, and timhortons.com. Since the issue involves misconfigurations in AWS Cognito with user signups enabled and an endpoint bypassing email verification, monitoring network traffic for suspicious signup activity or plaintext password transmissions via email could help. Commands to detect such activity might include network traffic analysis tools like 'tcpdump' or 'Wireshark' to capture HTTP requests to signup endpoints, or searching email logs for plaintext password emails. However, specific commands are not provided in the available resources. [2]