CVE-2025-62645
Published: 17 October 2025
Summary
CVE-2025-62645 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Rbi Restaurant Brands International Assistant. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 43.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-6 enforces least privilege, directly preventing low-privilege authenticated users from obtaining administrative tokens via the createToken GraphQL mutation as described in this incorrect privilege assignment vulnerability.
AC-3 requires enforcement of approved authorizations, addressing the failure of the createToken mutation to restrict administrative token issuance to authorized users only.
AC-2 manages accounts and privileges, helping mitigate by ensuring proper assignment and monitoring of token-related access rights to prevent escalation exploits.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows low-privileged authenticated attackers to exploit a GraphQL mutation for creating an admin token, directly enabling Exploitation for Privilege Escalation (T1068).
NVD Description
The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows a remote authenticated attacker to obtain a token with administrative privileges for the entire platform via the createToken GraphQL mutation.
Deeper analysisAI
CVE-2025-62645 is a critical vulnerability in the Restaurant Brands International (RBI) assistant platform through version 2025-09-06. It enables a remote authenticated attacker to obtain a token granting administrative privileges across the entire platform via the createToken GraphQL mutation. The issue, published on 2025-10-17, carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-266 (Incorrect Privilege Assignment).
A remote attacker with low-privilege authenticated access can exploit the vulnerability with low attack complexity and no user interaction. Exploitation yields a token with full administrative privileges, allowing comprehensive control over the platform and resulting in high impacts to confidentiality, integrity, and availability due to the expanded scope.
References provided in the CVE include hacker disclosures and news reports, such as archive.today/fMYQp, bobdahacker.com/blog/rbi-hacked-drive-thrus, and malwarebytes.com coverage of vulnerabilities in Popeyes, Tim Hortons, and Burger King drive-thru platforms, along with yahoo.com articles on related hacks.
In notable context, the vulnerability has been publicly demonstrated by hackers targeting RBI brands' platforms, as detailed in the referenced blogs and reports.
Details
- CWE(s)