CVE-2025-62644 Overview
CVE-2025-62644 affects the Restaurant Brands International (RBI) assistant platform through 2025-09-06. The platform's Global Store Directory exposes personal information to any authenticated user. RBI operates Burger King, Tim Hortons, Popeyes, and Firehouse Subs, meaning the directory aggregates data across a large franchise workforce.
The weakness maps to CWE-359: Exposure of Private Personal Information to an Unauthorized Actor. Any account with valid platform credentials can read employee directory entries without additional authorization checks.
Critical Impact
Authenticated users can retrieve personal information of employees across the entire RBI brand portfolio through the Global Store Directory, enabling targeted phishing, social engineering, and account takeover campaigns against franchise staff.
Affected Products
- Restaurant Brands International (RBI) assistant platform through 2025-09-06
- Associated brand-facing portals for Burger King, Tim Hortons, Popeyes, and Firehouse Subs operations
- Any tenant relying on the shared Global Store Directory service
Discovery Timeline
- 2025-10-17 - CVE-2025-62644 published to the National Vulnerability Database
- 2025-10-31 - Last updated in NVD database
Technical Details for CVE-2025-62644
Vulnerability Analysis
The RBI assistant platform provides a Global Store Directory that lists personal information for users associated with restaurant locations. The directory enforces authentication but does not apply granular authorization to limit which records a given user may view. As a result, any low-privileged authenticated account can enumerate personal data belonging to staff outside their store, region, or brand.
Public reporting from independent researchers describes the directory as returning identifying details across the full RBI organization once an account is authenticated. The exposure does not require chained exploits, privilege escalation, or tampering with client-side controls. Authenticated enumeration of the directory is sufficient to harvest information at scale.
The attack scope crosses tenant boundaries within the platform, which is why the issue is treated as a scope-changing information disclosure rather than a local data leak.
Root Cause
The root cause is missing authorization on the directory data tier. The application treats authentication as sufficient evidence to return any record in the Global Store Directory. There is no enforcement of role, store affiliation, or brand boundary on read operations, which is the core failure pattern described by CWE-359.
Attack Vector
The vulnerability is exploitable over the network by any user holding valid platform credentials. Credentialed franchise employees, contractors, or attackers in possession of phished accounts can query the directory endpoint and iterate over results. No user interaction from victims is required. Refer to the Bob Da Hacker Blog Post and the Malwarebytes News Article for narrative details of the exposure.
No exploitation code is provided. The vulnerability is exercised through normal authenticated requests to the directory feature, so no synthetic proof-of-concept is included here.
Detection Methods for CVE-2025-62644
Indicators of Compromise
- High-volume authenticated requests from a single account against the Global Store Directory endpoint over short time windows
- Directory queries originating from accounts whose role or store assignment does not justify cross-brand lookups
- Account sessions enumerating user records sequentially or with pagination cursors at machine speed
- Authentication from atypical geographies or IP ranges followed immediately by directory browsing activity
Detection Strategies
- Baseline normal directory access patterns per role and alert on deviations such as cross-brand or cross-region queries
- Instrument the directory API with per-account request rate counters and trigger on bulk enumeration thresholds
- Correlate identity provider sign-in logs with application-tier directory access to identify compromised accounts
- Hunt for stale or service accounts performing interactive directory reads outside expected automation windows
Monitoring Recommendations
- Forward application access logs and identity provider events into a centralized analytics platform with retention sufficient for retrospective hunts
- Monitor for credential stuffing and password spraying activity against the assistant platform login surface
- Track outbound data volumes from directory endpoints and alert on responses exceeding expected record counts
- Review audit trails for privilege changes and newly created accounts that subsequently access the directory
How to Mitigate CVE-2025-62644
Immediate Actions Required
- Contact RBI platform administrators to confirm whether mitigations have been deployed and request the current remediation status
- Restrict or disable Global Store Directory access for accounts that do not have an operational need to view cross-store personnel data
- Rotate credentials for high-risk accounts and enforce multi-factor authentication on every login path to the platform
- Notify employees that they may be targeted by phishing or social engineering using data harvested from the directory
Patch Information
No vendor advisory or patch reference is published in the NVD entry for CVE-2025-62644 at the time of writing. Operators should track the archived disclosure page and direct vendor communications for updates. The Yahoo News coverage summarizes the broader reporting around the platform.
Workarounds
- Apply server-side authorization that filters directory results based on the requesting user's store, brand, and role assignment
- Introduce rate limiting and anomaly detection on the directory endpoint to slow bulk enumeration
- Mask non-essential personal fields in directory responses and require explicit elevation for full record retrieval
- Conduct an access review of all authenticated platform accounts and revoke unused or orphaned identities
# Example reverse proxy rate limit for the directory endpoint (nginx)
limit_req_zone $http_authorization zone=rbi_dir:10m rate=10r/m;
location /api/global-store-directory/ {
limit_req zone=rbi_dir burst=5 nodelay;
proxy_pass http://assistant_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

