Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64066

CVE-2025-64066: Primakon Auth Bypass Vulnerability

CVE-2025-64066 is an authentication bypass flaw in Primakon Pi Portal that allows unauthenticated attackers to register new user accounts, bypassing intended security controls. This guide covers technical details, impact, and mitigation.

Published:

CVE-2025-64066 Overview

CVE-2025-64066 is a Broken Access Control vulnerability [CWE-284] affecting Primakon Pi Portal (Project Contract Management) version 1.0.18. The /api/v2/user/register REST endpoint fails to enforce authorization checks, allowing unauthenticated remote attackers to issue POST requests that create user accounts directly in the application's local database.

The flaw circumvents the intended security architecture, which delegates initial user provisioning to an external Identity Provider and treats local account creation as an administrative function. Attackers can also abuse the endpoint to enumerate existing accounts, supporting reconnaissance for follow-on social engineering or targeted attacks.

Critical Impact

Unauthenticated attackers can register arbitrary user accounts and enumerate existing users, enabling privilege escalation chains and full application compromise.

Affected Products

  • Primakon Project Contract Management (Pi Portal) 1.0.18
  • Deployments relying on Pi Portal's external Identity Provider integration
  • Installations exposing the /api/v2/user/register endpoint to untrusted networks

Discovery Timeline

  • 2025-11-25 - CVE-2025-64066 published to NVD
  • 2025-12-01 - Last updated in NVD database

Technical Details for CVE-2025-64066

Vulnerability Analysis

The vulnerability resides in the REST API route /api/v2/user/register exposed by Primakon Pi Portal 1.0.18. The endpoint accepts POST requests carrying user attributes and writes a new account directly into the application's local user store. No authentication token, session cookie, or role check gates the handler.

Pi Portal's documented architecture assumes an external Identity Provider (IdP) handles user onboarding, while the internal registration path is reserved for administrators provisioning service or local accounts. Because the handler omits authorization logic, it violates that trust boundary. Attackers reach a privileged code path from an unauthenticated context.

The same endpoint also leaks state through its response behavior, returning distinguishable results for existing versus new usernames or email addresses. This turns the registration call into a user-enumeration oracle.

Root Cause

The root cause is a missing authorization layer on a state-changing API route. The handler trusts that upstream network controls or the external IdP will prevent untrusted callers from reaching it, rather than enforcing role-based access control at the application tier. This is a classic [CWE-284] Improper Access Control pattern.

Attack Vector

Exploitation requires only network reachability to the Pi Portal API. An attacker sends a crafted POST to /api/v2/user/register with attacker-controlled username, email, and password fields. The server creates the account and returns a success response. Repeated requests with varied identifiers enumerate already-registered accounts based on response differentials. Created accounts can then be chained with secondary flaws to escalate privileges within the application.

No verified public proof-of-concept code is available. Refer to the GitHub Vulnerability Report for the original technical write-up.

Detection Methods for CVE-2025-64066

Indicators of Compromise

  • Unauthenticated POST requests to /api/v2/user/register originating from external or unexpected internal IP ranges.
  • New user accounts present in the Pi Portal local database that did not transit the external Identity Provider provisioning workflow.
  • High-volume sequential requests to the registration endpoint indicating account enumeration attempts.

Detection Strategies

  • Inspect web server and application logs for POST requests to /api/v2/user/register lacking a valid administrative session or bearer token.
  • Compare local user-store entries against the IdP's authoritative user roster to surface accounts created out-of-band.
  • Alert on response-code or response-size anomalies on the registration endpoint that indicate enumeration probing.

Monitoring Recommendations

  • Forward Pi Portal API access logs to a SIEM and build correlation rules for unauthenticated calls to user-management routes.
  • Track creation rate and source IP diversity for the /api/v2/user/register endpoint to detect automated abuse.
  • Audit local account creation events daily and reconcile with IdP provisioning records.

How to Mitigate CVE-2025-64066

Immediate Actions Required

  • Restrict network access to the /api/v2/user/register endpoint using a reverse proxy, WAF, or API gateway allowlist limited to administrative networks.
  • Contact Primakon for a fixed build of Project Contract Management beyond version 1.0.18 and apply it once available.
  • Review the local user store and disable any accounts that were not provisioned through the external Identity Provider.

Patch Information

No vendor advisory or patch URL is published in the available references at the time of writing. Coordinate directly with Primakon using the Primakon Product Overview contact channels to obtain a remediated release. Track updates in the GitHub Vulnerability Report.

Workarounds

  • Block external access to /api/v2/user/register at the perimeter until a patched version is deployed.
  • Enforce authentication and administrator role checks at an upstream API gateway in front of Pi Portal.
  • Rate-limit and log all requests to user-management endpoints to slow enumeration and create an audit trail.
  • Rotate credentials and review session activity for any accounts that may have been created or referenced via the vulnerable endpoint.
bash
# Example NGINX rule restricting the registration endpoint to an admin subnet
location = /api/v2/user/register {
    allow 10.10.20.0/24;   # admin management network
    deny  all;
    proxy_pass http://piportal_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.