CVE-2025-62645
Published: 17 October 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-62645 is a critical vulnerability in the Restaurant Brands International (RBI) assistant platform through version 2025-09-06. It enables a remote authenticated attacker to obtain a token granting administrative privileges across the entire platform via the createToken GraphQL mutation. The issue, published on 2025-10-17, carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-266 (Incorrect Privilege Assignment).
A remote attacker with low-privilege authenticated access can exploit the vulnerability with low attack complexity and no user interaction. Exploitation yields a token with full administrative privileges, allowing comprehensive control over the platform and resulting in high impacts to confidentiality, integrity, and availability due to the expanded scope.
References provided in the CVE include hacker disclosures and news reports, such as archive.today/fMYQp, bobdahacker.com/blog/rbi-hacked-drive-thrus, and malwarebytes.com coverage of vulnerabilities in Popeyes, Tim Hortons, and Burger King drive-thru platforms, along with yahoo.com articles on related hacks.
In notable context, the vulnerability has been publicly demonstrated by hackers targeting RBI brands' platforms, as detailed in the referenced blogs and reports.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability allows low-privileged authenticated attackers to exploit a GraphQL mutation for creating an admin token, directly enabling Exploitation for Privilege Escalation (T1068).