CVE-2025-64064 Overview
CVE-2025-64064 is a broken access control vulnerability in Primakon Pi Portal version 1.0.18. The /api/v2/pp_users endpoint fails to validate user permissions before processing PATCH requests that modify the PP_SECURITY_PROFILE_ID field. Any authenticated low-privilege user can send a PATCH request setting PP_SECURITY_PROFILE_ID=2 to elevate their account to Administrator. The flaw maps to [CWE-284: Improper Access Control] and affects the Primakon Project Contract Management product.
Critical Impact
Authenticated low-privilege users can escalate to Administrator over the network with low complexity, gaining full confidentiality, integrity, and availability impact on the application.
Affected Products
- Primakon Pi Portal 1.0.18
- Primakon Project Contract Management 1.0.18
- CPE: cpe:2.3:a:primakon:project_contract_management:1.0.18
Discovery Timeline
- 2025-11-25 - CVE-2025-64064 published to NVD
- 2025-12-01 - Last updated in NVD database
Technical Details for CVE-2025-64064
Vulnerability Analysis
The vulnerability resides in the user management API exposed at /api/v2/pp_users. The endpoint accepts PATCH requests to update user attributes but does not enforce authorization checks on the PP_SECURITY_PROFILE_ID field. This field controls the security profile assigned to a user, where value 2 corresponds to the Administrator role.
An attacker with valid low-privilege credentials submits a PATCH request modifying their own user record. By including PP_SECURITY_PROFILE_ID=2 in the request body, the server updates the role without verifying whether the requesting user holds administrative rights. The attacker is promoted to Administrator on the next session evaluation.
Root Cause
The root cause is missing server-side authorization logic on a privileged field. The application treats the PATCH endpoint as a general-purpose self-service profile update without segregating which fields a low-privilege user is allowed to modify. Role assignment fields must be restricted to administrative callers, but the endpoint applies the same permission check to all attributes uniformly.
Attack Vector
Exploitation requires only network access and valid low-privilege credentials. The attacker authenticates to Pi Portal, identifies their own user identifier, and issues a PATCH request to /api/v2/pp_users with a JSON body containing PP_SECURITY_PROFILE_ID=2. No user interaction is required, and no special tooling beyond an HTTP client is needed. Full technical details are published in the GitHub CVE-2025-64064 advisory.
No verified public exploit code has been confirmed beyond the proof-of-concept described in the advisory referenced above.
Detection Methods for CVE-2025-64064
Indicators of Compromise
- PATCH requests to /api/v2/pp_users containing PP_SECURITY_PROFILE_ID in the body originating from non-administrative accounts
- Unexpected changes to user records where the security profile transitions to value 2 (Administrator)
- New Administrator-level activity from user accounts previously holding standard roles
Detection Strategies
- Inspect application and reverse-proxy logs for HTTP PATCH calls against /api/v2/pp_users and correlate the calling identity with the target user identifier
- Alert when the same authenticated session both modifies its own user record and subsequently performs administrative actions within a short time window
- Compare daily snapshots of the PP_USERS table to detect unauthorized changes to PP_SECURITY_PROFILE_ID values
Monitoring Recommendations
- Forward Pi Portal web server and application logs to a centralized SIEM for retention and behavioral analysis
- Enable database audit logging on the PP_USERS table to capture every modification to the security profile column
- Track baseline counts of Administrator accounts and alert on any increase outside change-management windows
How to Mitigate CVE-2025-64064
Immediate Actions Required
- Restrict network access to the Pi Portal /api/v2/pp_users endpoint to trusted administrative networks until a patch is applied
- Audit the PP_USERS table for unauthorized PP_SECURITY_PROFILE_ID changes and revoke any unexpected Administrator assignments
- Rotate credentials for any user account suspected of abusing the endpoint
Patch Information
No vendor patch URL is listed in NVD at the time of publication. Contact Primakon directly to obtain a fixed build of Pi Portal beyond version 1.0.18. Reference the Primakon product solutions page for vendor contact details.
Workarounds
- Deploy a reverse-proxy or web application firewall rule that blocks PATCH requests to /api/v2/pp_users containing the PP_SECURITY_PROFILE_ID field unless the caller is an Administrator
- Implement server-side field-level authorization that rejects updates to role attributes from non-administrative sessions
- Limit Pi Portal exposure to internal networks and require VPN access for all users until remediation is confirmed
# Example WAF rule (ModSecurity) blocking privilege escalation attempts
SecRule REQUEST_METHOD "@streq PATCH" \
"chain,phase:2,deny,status:403,id:1064064,\
msg:'CVE-2025-64064 Pi Portal privilege escalation attempt'"
SecRule REQUEST_URI "@beginsWith /api/v2/pp_users" "chain"
SecRule REQUEST_BODY "@rx PP_SECURITY_PROFILE_ID"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

