Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-62644

CVE-2025-62644: RBI Assistant Information Disclosure Flaw

CVE-2025-62644 is an information disclosure vulnerability in Restaurant Brands International Assistant that exposes personal information through its Global Store Directory. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-62644 Overview

CVE-2025-62644 affects the Restaurant Brands International (RBI) assistant platform through 2025-09-06. The platform's Global Store Directory exposes personal information to any authenticated user. RBI operates Burger King, Tim Hortons, Popeyes, and Firehouse Subs, meaning the directory aggregates data across a large franchise workforce.

The weakness maps to CWE-359: Exposure of Private Personal Information to an Unauthorized Actor. Any account with valid platform credentials can read employee directory entries without additional authorization checks.

Critical Impact

Authenticated users can retrieve personal information of employees across the entire RBI brand portfolio through the Global Store Directory, enabling targeted phishing, social engineering, and account takeover campaigns against franchise staff.

Affected Products

  • Restaurant Brands International (RBI) assistant platform through 2025-09-06
  • Associated brand-facing portals for Burger King, Tim Hortons, Popeyes, and Firehouse Subs operations
  • Any tenant relying on the shared Global Store Directory service

Discovery Timeline

  • 2025-10-17 - CVE-2025-62644 published to the National Vulnerability Database
  • 2025-10-31 - Last updated in NVD database

Technical Details for CVE-2025-62644

Vulnerability Analysis

The RBI assistant platform provides a Global Store Directory that lists personal information for users associated with restaurant locations. The directory enforces authentication but does not apply granular authorization to limit which records a given user may view. As a result, any low-privileged authenticated account can enumerate personal data belonging to staff outside their store, region, or brand.

Public reporting from independent researchers describes the directory as returning identifying details across the full RBI organization once an account is authenticated. The exposure does not require chained exploits, privilege escalation, or tampering with client-side controls. Authenticated enumeration of the directory is sufficient to harvest information at scale.

The attack scope crosses tenant boundaries within the platform, which is why the issue is treated as a scope-changing information disclosure rather than a local data leak.

Root Cause

The root cause is missing authorization on the directory data tier. The application treats authentication as sufficient evidence to return any record in the Global Store Directory. There is no enforcement of role, store affiliation, or brand boundary on read operations, which is the core failure pattern described by CWE-359.

Attack Vector

The vulnerability is exploitable over the network by any user holding valid platform credentials. Credentialed franchise employees, contractors, or attackers in possession of phished accounts can query the directory endpoint and iterate over results. No user interaction from victims is required. Refer to the Bob Da Hacker Blog Post and the Malwarebytes News Article for narrative details of the exposure.

No exploitation code is provided. The vulnerability is exercised through normal authenticated requests to the directory feature, so no synthetic proof-of-concept is included here.

Detection Methods for CVE-2025-62644

Indicators of Compromise

  • High-volume authenticated requests from a single account against the Global Store Directory endpoint over short time windows
  • Directory queries originating from accounts whose role or store assignment does not justify cross-brand lookups
  • Account sessions enumerating user records sequentially or with pagination cursors at machine speed
  • Authentication from atypical geographies or IP ranges followed immediately by directory browsing activity

Detection Strategies

  • Baseline normal directory access patterns per role and alert on deviations such as cross-brand or cross-region queries
  • Instrument the directory API with per-account request rate counters and trigger on bulk enumeration thresholds
  • Correlate identity provider sign-in logs with application-tier directory access to identify compromised accounts
  • Hunt for stale or service accounts performing interactive directory reads outside expected automation windows

Monitoring Recommendations

  • Forward application access logs and identity provider events into a centralized analytics platform with retention sufficient for retrospective hunts
  • Monitor for credential stuffing and password spraying activity against the assistant platform login surface
  • Track outbound data volumes from directory endpoints and alert on responses exceeding expected record counts
  • Review audit trails for privilege changes and newly created accounts that subsequently access the directory

How to Mitigate CVE-2025-62644

Immediate Actions Required

  • Contact RBI platform administrators to confirm whether mitigations have been deployed and request the current remediation status
  • Restrict or disable Global Store Directory access for accounts that do not have an operational need to view cross-store personnel data
  • Rotate credentials for high-risk accounts and enforce multi-factor authentication on every login path to the platform
  • Notify employees that they may be targeted by phishing or social engineering using data harvested from the directory

Patch Information

No vendor advisory or patch reference is published in the NVD entry for CVE-2025-62644 at the time of writing. Operators should track the archived disclosure page and direct vendor communications for updates. The Yahoo News coverage summarizes the broader reporting around the platform.

Workarounds

  • Apply server-side authorization that filters directory results based on the requesting user's store, brand, and role assignment
  • Introduce rate limiting and anomaly detection on the directory endpoint to slow bulk enumeration
  • Mask non-essential personal fields in directory responses and require explicit elevation for full record retrieval
  • Conduct an access review of all authenticated platform accounts and revoke unused or orphaned identities
bash
# Example reverse proxy rate limit for the directory endpoint (nginx)
limit_req_zone $http_authorization zone=rbi_dir:10m rate=10r/m;

location /api/global-store-directory/ {
    limit_req zone=rbi_dir burst=5 nodelay;
    proxy_pass http://assistant_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.