CVE-2025-67282
BaseFortify
Publication date: 2026-01-09
Last updated on: 2026-01-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tim_solutions_gmbh | tim_bpm_suite | 9.1.2 |
| tim_solutions_gmbh | tim_bpm_suite | to 9.1.2 (exc) |
| tim_solutions_gmbh | tim_flow | 9.1.2 |
| tim_solutions_gmbh | tim_flow | to 9.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67282 is an Incorrect Access Control vulnerability in TIM BPM Suite and TIM FLOW versions prior to 9.1.2. It allows a low-privileged user to perform unauthorized actions such as downloading password hashes of other users, accessing and modifying work items and restricted workflow content belonging to other users, changing the application's logo, and manipulating other users' profiles. [2]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access and modification of sensitive data and application content. An attacker with low privileges could obtain password hashes of other users, potentially leading to credential compromise. They could also access and alter work items and restricted workflow content, change the application's branding, and manipulate user profiles, which could disrupt business processes, damage trust, and lead to further exploitation within the system. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the vendor's updates that remediate these vulnerabilities, specifically upgrading TIM BPM Suite / TIM FLOW to version 9.1.2 or later. Additionally, it is recommended to follow OWASP guidelines such as the SQL Injection Prevention Cheat Sheet, Authorization Cheat Sheet, and Password Storage Cheat Sheet to enhance security and prevent exploitation of these vulnerabilities. [2]