Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2025-62645 — AI Deep Analysis Summary

CVSS 9.9 · Critical

Q1What is this vulnerability? (Essence + Consequences)

🚨 **Essence**: A critical flaw in the RBI Assistant Platform allows attackers to steal admin tokens via a GraphQL mutation.…

Q2Root Cause? (CWE/Flaw)

🛡️ **Root Cause**: **CWE-266** (Incorrect Privilege Assignment). 🐛 **Flaw**: The `createToken` GraphQL mutation is misconfigured, granting excessive privileges to authenticated users without proper validation.…

Q3Who is affected? (Versions/Components)

🏢 **Vendor**: Restaurant Brands International (RBI). 🍔 **Products**: Assistant Platform (used by Burger King, Popeyes, Tim Hortons). 📅 **Affected Versions**: All versions released **before 2025-09-06**.…

Q4What can hackers do? (Privileges/Data)

🔑 **Privileges**: Escalates from standard user to **Full Administrator**. 📂 **Data Access**: Complete access to the entire platform backend. 🚗 **Real World**: Attackers can control drive-thru systems and customer data.…

Q5Is exploitation threshold high? (Auth/Config)

🔐 **Auth Required**: Yes, but **Low** (PR:L). 🌐 **Network**: Remote (AV:N). 🖱️ **User Interaction**: None (UI:N). 📊 **Difficulty**: **Low** (AC:L). ⚡ **Verdict**: Easy to exploit for anyone with basic platform access.

Q6Is there a public Exp? (PoC/Wild Exploitation)

🔓 **Exploitation**: **Yes**, wild exploitation confirmed. 📰 **Evidence**: Hackers publicly demonstrated control over drive-thrus and platforms.…

Q7How to self-check? (Features/Scanning)

🔍 **Check**: Scan for the `createToken` GraphQL endpoint. 🧪 **Test**: Attempt to trigger the mutation with low-privilege credentials. 📡 **Indicator**: Look for unexpected admin token generation in logs.…

Q8Is it fixed officially? (Patch/Mitigation)

🛠️ **Fix**: Update to version **2025-09-06 or later**. ✅ **Official Patch**: RBI has acknowledged the issue and released a fix. 📥 **Action**: Immediate upgrade required for all Assistant Platform instances.…

Q9What if no patch? (Workaround)

🚧 **Workaround**: Restrict access to the `createToken` mutation. 🚫 **Block**: Disable GraphQL endpoints if possible. 👮 **Monitor**: Implement strict WAF rules for GraphQL traffic.…

Q10Is it urgent? (Priority Suggestion)

🔥 **Priority**: **CRITICAL** (CVSS 9.8). 🚨 **Urgency**: **Immediate Action Required**. ⏳ **Risk**: Active exploitation means zero-day window is closed. 🏃 **Action**: Patch within 24 hours.…