Cyber Resilience

CVE-2025-62645

CriticalPublic PoC

Published: 17 October 2025

Published
17 October 2025
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0020 41.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-62645 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Rbi Restaurant Brands International Assistant. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 41.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-62645 is a critical vulnerability in the Restaurant Brands International (RBI) assistant platform through version 2025-09-06. It enables a remote authenticated attacker to obtain a token granting administrative privileges across the entire platform via the createToken GraphQL mutation. The issue, published on 2025-10-17, carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-266 (Incorrect Privilege Assignment).

A remote attacker with low-privilege authenticated access can exploit the vulnerability with low attack complexity and no user interaction. Exploitation yields a token with full administrative privileges, allowing comprehensive control over the platform and resulting in high impacts to confidentiality, integrity, and availability due to the expanded scope.

References provided in the CVE include hacker disclosures and news reports, such as archive.today/fMYQp, bobdahacker.com/blog/rbi-hacked-drive-thrus, and malwarebytes.com coverage of vulnerabilities in Popeyes, Tim Hortons, and Burger King drive-thru platforms, along with yahoo.com articles on related hacks.

In notable context, the vulnerability has been publicly demonstrated by hackers targeting RBI brands' platforms, as detailed in the referenced blogs and reports.

EU & UK References

Vulnerability details

The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows a remote authenticated attacker to obtain a token with administrative privileges for the entire platform via the createToken GraphQL mutation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability allows low-privileged authenticated attackers to exploit a GraphQL mutation for creating an admin token, directly enabling Exploitation for Privilege Escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42368Shared CWE-266
CVE-2025-69293Shared CWE-266
CVE-2026-42680Shared CWE-266
CVE-2025-69378Shared CWE-266
CVE-2026-27102Shared CWE-266
CVE-2025-22736Shared CWE-266
CVE-2024-40591Shared CWE-266
CVE-2026-48879Shared CWE-266
CVE-2025-33179Shared CWE-266
CVE-2026-25414Shared CWE-266

Affected Assets

rbi
restaurant brands international assistant
≤ 2025-09-06

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-6 enforces least privilege, directly preventing low-privilege authenticated users from obtaining administrative tokens via the createToken GraphQL mutation as described in this incorrect privilege assignment vulnerability.

prevent

AC-3 requires enforcement of approved authorizations, addressing the failure of the createToken mutation to restrict administrative token issuance to authorized users only.

prevent

AC-2 manages accounts and privileges, helping mitigate by ensuring proper assignment and monitoring of token-related access rights to prevent escalation exploits.

References