CVE-2025-62645 — AI Deep Analysis Summary

🚨 **Essence**: A critical flaw in the RBI Assistant Platform allows attackers to steal admin tokens via a GraphQL mutation.…

🛡️ **Root Cause**: **CWE-266** (Incorrect Privilege Assignment). 🐛 **Flaw**: The `createToken` GraphQL mutation is misconfigured, granting excessive privileges to authenticated users without proper validation.…

🏢 **Vendor**: Restaurant Brands International (RBI). 🍔 **Products**: Assistant Platform (used by Burger King, Popeyes, Tim Hortons). 📅 **Affected Versions**: All versions released **before 2025-09-06**.…

🔑 **Privileges**: Escalates from standard user to **Full Administrator**. 📂 **Data Access**: Complete access to the entire platform backend. 🚗 **Real World**: Attackers can control drive-thru systems and customer data.…

🔐 **Auth Required**: Yes, but **Low** (PR:L). 🌐 **Network**: Remote (AV:N). 🖱️ **User Interaction**: None (UI:N). 📊 **Difficulty**: **Low** (AC:L). ⚡ **Verdict**: Easy to exploit for anyone with basic platform access.

🔓 **Exploitation**: **Yes**, wild exploitation confirmed. 📰 **Evidence**: Hackers publicly demonstrated control over drive-thrus and platforms.…

🔍 **Check**: Scan for the `createToken` GraphQL endpoint. 🧪 **Test**: Attempt to trigger the mutation with low-privilege credentials. 📡 **Indicator**: Look for unexpected admin token generation in logs.…

🛠️ **Fix**: Update to version **2025-09-06 or later**. ✅ **Official Patch**: RBI has acknowledged the issue and released a fix. 📥 **Action**: Immediate upgrade required for all Assistant Platform instances.…

🚧 **Workaround**: Restrict access to the `createToken` mutation. 🚫 **Block**: Disable GraphQL endpoints if possible. 👮 **Monitor**: Implement strict WAF rules for GraphQL traffic.…

🔥 **Priority**: **CRITICAL** (CVSS 9.8). 🚨 **Urgency**: **Immediate Action Required**. ⏳ **Risk**: Active exploitation means zero-day window is closed. 🏃 **Action**: Patch within 24 hours.…