CVE-2025-64066 — HIGH (8.6)

Vulnerability Description

Primakon Pi Portal 1.0.18 REST /api/v2/user/register endpoint suffers from a Broken Access Control vulnerability. The endpoint fails to implement any authorization checks, allowing unauthenticated attackers to perform POST requests to register new user accounts in the application's local database. This bypasses the intended security architecture, which relies on an external Identity Provider for initial user registration and assumes that internal user creation is an administrative-only function. This vector can also be chained with other vulnerabilities for privilege escalation and complete compromise of application. This specific request can be used to also enumerate already registered user accounts, aiding in social engineering or further targeted attacks.

CVSS Score

8.6

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

HIGH

Availability

LOW

Affected Products

Vendor	Product	Versions
Primakon	Project Contract Management	1.0.18

Related Weaknesses (CWE)

CWE-284

References

https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64066.mdThird Party Advisory
https://www.primakon.com/rjesenja/primakon-pcm/Product

FAQ

What is CVE-2025-64066?

CVE-2025-64066 is a vulnerability with a CVSS score of 8.6 (HIGH). Primakon Pi Portal 1.0.18 REST /api/v2/user/register endpoint suffers from a Broken Access Control vulnerability. The endpoint fails to implement any authorization checks, allowing unauthenticated att...

How severe is CVE-2025-64066?

CVE-2025-64066 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-64066?

Check the references section above for vendor advisories and patch information. Affected products include: Primakon Project Contract Management.