CVE-2025-62644
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-17

Last updated on: 2025-10-31

Assigner: MITRE

Description
The Restaurant Brands International (RBI) assistant platform through 2025-09-06 has a Global Store Directory that shares personal information among authenticated users.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-17
Last Modified
2025-10-31
Generated
2026-06-16
AI Q&A
2025-10-17
EPSS Evaluated
2026-06-14
NVD
CVE-2025-62644
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rbi restaurant_brands_international_assistant to 2025-09-06 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include disabling user signups on the affected platforms to prevent unauthorized account creation, enforcing email verification for new accounts, and securing authentication endpoints to avoid bypasses. Additionally, reviewing and correcting AWS Cognito configurations to ensure proper access control and password handling is critical. Since RBI fixed the vulnerabilities on the same day they were reported, applying similar patches or updates from RBI is recommended. [2]

Executive Summary

The vulnerability in the Restaurant Brands International (RBI) assistant platform involves a Global Store Directory that improperly shares personal information among authenticated users. Additionally, critical security flaws were found in RBI's platforms, allowing attackers to access sensitive data such as voice recordings containing personally identifiable information, manage franchise stores, view and edit employee accounts, and exploit misconfigurations in AWS Cognito that allowed unauthorized account creation and password exposure. [2]

Impact Analysis

This vulnerability can lead to unauthorized access to personal and sensitive information, including voice recordings with personal data, employee accounts, and store analytics. Attackers could manipulate franchise store data, upload malicious files, and send unauthorized notifications, potentially causing privacy breaches, operational disruptions, and reputational damage. [2]

Detection Guidance

Detection of this vulnerability involves checking for unauthorized access or account creation on RBI platforms, especially those hosted on bk.com, popeyes.com, and timhortons.com. Since the issue involves misconfigurations in AWS Cognito with user signups enabled and an endpoint bypassing email verification, monitoring network traffic for suspicious signup activity or plaintext password transmissions via email could help. Commands to detect such activity might include network traffic analysis tools like 'tcpdump' or 'Wireshark' to capture HTTP requests to signup endpoints, or searching email logs for plaintext password emails. However, specific commands are not provided in the available resources. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62644. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart