CVE-2025-62650
CVE-2025-62650
In short
The RBI assistant platform uses authentication checks only on the user's browser instead of on the server, allowing anyone to bypass security and access diagnostic screens they shouldn't see. This is dangerous because attackers can view or modify sensitive diagnostic information.
Technical detail
CWE-603 (Use of Client-Side Authentication) affects the RBI assistant platform, where authentication validation for diagnostic screen access is performed client-side only. An attacker can bypass browser-side checks through local manipulation or network interception to gain unauthorized access to diagnostic functionality and potentially sensitive system information. No server-side validation is enforced.
Summary generated and translated by AI from the official description.
The Restaurant Brands International (RBI) assistant platform through 2025-09-06 relies on client-side authentication for use of the diagnostic screen.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Affected products
Restaurant Brands International · assistant platformWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://archive.today/fMYQphttps://bobdahacker.com/blog/rbi-hacked-drive-thrus/https://web.archive.org/web/20250906134240/https:/bobdahacker.com/blog/rbi-hacked-drive-thrushttps://www.malwarebytes.com/blog/news/2025/09/popeyes-tim-hortons-burger-king-platforms-have-catastrophic-vulnerabilities-say-hackershttps://www.yahoo.com/news/articles/burger-king-hacked-attackers-impressed-124154038.html