CVE-2025-34411
Unknown Unknown - Not Provided
Unauthenticated API Exposure in Convercent Enables Tenant Enumeration

Publication date: 2025-12-15

Last updated on: 2025-12-15

Assigner: VulnCheck

Description
The Convercent Whistleblowing Platform operated by EQS Group exposes an unauthenticated API endpoint at /GetLegalEntity that returns internal customer legal-entity names based on a supplied searchText fragment. A remote unauthenticated attacker can query the endpoint using common legal-suffix terms to enumerate Convercent tenants, identifying organizations using the platform. This disclosure can facilitate targeted phishing, extortion, or other attacks against whistleblowing programs and reveals sensitive business relationships and compliance infrastructure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-15
Last Modified
2025-12-15
Generated
2026-06-16
AI Q&A
2025-12-15
EPSS Evaluated
2025-12-24
NVD
CVE-2025-34411
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
eqs_group convercent_whistleblowing_platform *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Convercent Whistleblowing Platform operated by EQS Group. An unauthenticated API endpoint, /GetLegalEntity, returns internal customer legal-entity names based on a supplied searchText fragment. Because this endpoint lacks proper authorization, a remote attacker without any privileges can query it using common legal suffix terms to enumerate and identify organizations using the platform. This means attackers can discover which companies are tenants of the platform by extracting sensitive business relationship information. [3]

Impact Analysis

The vulnerability can impact you by enabling attackers to identify organizations using the Convercent platform, which can facilitate targeted phishing, extortion, or other attacks against whistleblowing programs. It exposes sensitive business relationships and compliance infrastructure, potentially putting organizations at risk of social engineering or other malicious activities. [3]

Detection Guidance

This vulnerability can be detected by sending unauthenticated HTTP requests to the /GetLegalEntity API endpoint of the Convercent Whistleblowing Platform and observing if it returns internal customer legal-entity names based on a supplied searchText fragment. A simple detection command using curl could be: curl -X GET 'https://<target-domain>/GetLegalEntity?searchText=Inc' -i. If the response contains legal entity names without authentication, the vulnerability is present. [3]

Mitigation Strategies

Immediate mitigation steps include restricting access to the /GetLegalEntity API endpoint by implementing proper authentication and authorization controls to prevent unauthenticated queries. Additionally, monitoring and logging access to this endpoint can help detect abuse. Contacting Convercent support for available patches or updates and applying any security updates provided by EQS Group is also recommended. [3, 2]

Compliance Impact

This vulnerability exposes internal customer legal-entity names through an unauthenticated API endpoint, which can reveal sensitive business relationships and compliance infrastructure. Such exposure can facilitate targeted attacks like phishing or extortion against whistleblowing programs. While the provided information does not explicitly state the direct impact on compliance with standards like GDPR or HIPAA, the disclosure of sensitive information and potential compromise of whistleblowing programs could negatively affect an organization's ability to maintain confidentiality and integrity required by these regulations. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34411. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart