CVE-2025-62649
CVE-2025-62649
In short
The RBI assistant platform uses client-side authentication to process equipment orders, meaning the security check happens in your browser instead of on the server. An attacker can bypass this check and submit unauthorized orders.
Technical detail
Client-side authentication validation can be circumvented by intercepting or modifying requests before they reach the server. An attacker with network access or ability to modify local client code can forge equipment orders without valid credentials, bypassing intended access controls.
Summary generated and translated by AI from the official description.
The Restaurant Brands International (RBI) assistant platform through 2025-09-06 relies on client-side authentication for submission of equipment orders.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Affected products
Restaurant Brands International · assistant platformWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://archive.today/fMYQphttps://bobdahacker.com/blog/rbi-hacked-drive-thrus/https://web.archive.org/web/20250906134240/https:/bobdahacker.com/blog/rbi-hacked-drive-thrushttps://www.malwarebytes.com/blog/news/2025/09/popeyes-tim-hortons-burger-king-platforms-have-catastrophic-vulnerabilities-say-hackershttps://www.yahoo.com/news/articles/burger-king-hacked-attackers-impressed-124154038.html