CVE-2025-64066
Published: 25 November 2025
Description
Primakon Pi Portal 1.0.18 REST /api/v2/user/register endpoint suffers from a Broken Access Control vulnerability. The endpoint fails to implement any authorization checks, allowing unauthenticated attackers to perform POST requests to register new user accounts in the application's local database. This…
more
bypasses the intended security architecture, which relies on an external Identity Provider for initial user registration and assumes that internal user creation is an administrative-only function. This vector can also be chained with other vulnerabilities for privilege escalation and complete compromise of application. This specific request can be used to also enumerate already registered user accounts, aiding in social engineering or further targeted attacks.
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly addressing the lack of authorization checks that allow unauthenticated user registration.
Requires authorization prior to creating system accounts, preventing unauthenticated attackers from registering arbitrary user accounts in the local database.
Explicitly defines and restricts actions permitted without identification or authentication, ensuring user registration is not allowable for unauthenticated users.
Security SummaryAI
CVE-2025-64066 is a Broken Access Control vulnerability (CWE-284) affecting Primakon Pi Portal version 1.0.18, specifically the REST API endpoint /api/v2/user/register. Published on 2025-11-25, the vulnerability arises because the endpoint performs no authorization checks, allowing unauthenticated POST requests to create new user accounts directly in the application's local database. This undermines the intended security model, which depends on an external Identity Provider for initial registrations and restricts internal user creation to administrators only. The issue carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L).
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By sending crafted POST requests, they can register arbitrary accounts, potentially gaining initial footholds within the application. The endpoint also enables enumeration of existing registered user accounts through error responses or other indicators, supporting social engineering or reconnaissance for further attacks. This vector can be chained with additional vulnerabilities to achieve privilege escalation and complete application compromise.
Advisories and mitigation details are available in referenced sources, including a GitHub vulnerability disclosure at https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64066.md and Primakon's official solutions page at https://www.primakon.com/rjesenja/primakon-pcm/.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated exploitation of public-facing REST API (T1190) enables local account enumeration (T1087.001) and creation (T1136.001) in the application database, bypassing external authentication.