CVE-2025-67282
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-09

Last updated on: 2026-01-09

Assigner: MITRE

Description
In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Authorization Bypass vulnerabilities exists which allow a low privileged user to download password hashes of other user, access work items of other user, modify restricted content in workflows, modify the applications logo and manipulate the profile of other user.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-09
Last Modified
2026-01-09
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67282
EUVD
EUVD-2026-1715
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
tim_solutions_gmbh tim_bpm_suite 9.1.2
tim_solutions_gmbh tim_bpm_suite to 9.1.2 (exc)
tim_solutions_gmbh tim_flow 9.1.2
tim_solutions_gmbh tim_flow to 9.1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-67282 is an Incorrect Access Control vulnerability in TIM BPM Suite and TIM FLOW versions prior to 9.1.2. It allows a low-privileged user to perform unauthorized actions such as downloading password hashes of other users, accessing and modifying work items and restricted workflow content belonging to other users, changing the application's logo, and manipulating other users' profiles. [2]

Impact Analysis

This vulnerability can lead to unauthorized access and modification of sensitive data and application content. An attacker with low privileges could obtain password hashes of other users, potentially leading to credential compromise. They could also access and alter work items and restricted workflow content, change the application's branding, and manipulate user profiles, which could disrupt business processes, damage trust, and lead to further exploitation within the system. [2]

Mitigation Strategies

Immediate mitigation steps include applying the vendor's updates that remediate these vulnerabilities, specifically upgrading TIM BPM Suite / TIM FLOW to version 9.1.2 or later. Additionally, it is recommended to follow OWASP guidelines such as the SQL Injection Prevention Cheat Sheet, Authorization Cheat Sheet, and Password Storage Cheat Sheet to enhance security and prevent exploitation of these vulnerabilities. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67282. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart