CVE-2025-34411
Unauthenticated API Exposure in Convercent Enables Tenant Enumeration
Publication date: 2025-12-15
Last updated on: 2025-12-15
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eqs_group | convercent_whistleblowing_platform | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Convercent Whistleblowing Platform operated by EQS Group. An unauthenticated API endpoint, /GetLegalEntity, returns internal customer legal-entity names based on a supplied searchText fragment. Because this endpoint lacks proper authorization, a remote attacker without any privileges can query it using common legal suffix terms to enumerate and identify organizations using the platform. This means attackers can discover which companies are tenants of the platform by extracting sensitive business relationship information. [3]
How can this vulnerability impact me? :
The vulnerability can impact you by enabling attackers to identify organizations using the Convercent platform, which can facilitate targeted phishing, extortion, or other attacks against whistleblowing programs. It exposes sensitive business relationships and compliance infrastructure, potentially putting organizations at risk of social engineering or other malicious activities. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending unauthenticated HTTP requests to the /GetLegalEntity API endpoint of the Convercent Whistleblowing Platform and observing if it returns internal customer legal-entity names based on a supplied searchText fragment. A simple detection command using curl could be: curl -X GET 'https://<target-domain>/GetLegalEntity?searchText=Inc' -i. If the response contains legal entity names without authentication, the vulnerability is present. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /GetLegalEntity API endpoint by implementing proper authentication and authorization controls to prevent unauthenticated queries. Additionally, monitoring and logging access to this endpoint can help detect abuse. Contacting Convercent support for available patches or updates and applying any security updates provided by EQS Group is also recommended. [3, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability exposes internal customer legal-entity names through an unauthenticated API endpoint, which can reveal sensitive business relationships and compliance infrastructure. Such exposure can facilitate targeted attacks like phishing or extortion against whistleblowing programs. While the provided information does not explicitly state the direct impact on compliance with standards like GDPR or HIPAA, the disclosure of sensitive information and potential compromise of whistleblowing programs could negatively affect an organization's ability to maintain confidentiality and integrity required by these regulations. [3]