CVE-2025-62645: Privilege Escalation in Restaurant Brands International Assistant Platform (Brief Summary)

Introduction

Attackers could obtain administrative access to the core management systems of Burger King, Tim Hortons, and Popeyes by exploiting a single GraphQL mutation. Over 30,000 restaurant locations were exposed to potential compromise, affecting employee data, drive-thru audio, and operational controls. This post summarizes CVE-2025-62645, a critical vulnerability in Restaurant Brands International's assistant platform, with a CVSS score of 9.9.

About Restaurant Brands International (RBI): RBI is a global leader in the quick-service restaurant sector, operating Burger King, Tim Hortons, Popeyes, and Firehouse Subs. With over 32,000 locations in 120+ countries, RBI platforms process millions of transactions and manage vast employee and customer data. Security failures in such an environment have significant global impact.

Technical Information

The vulnerability in the RBI assistant platform arises from a combination of authentication and authorization failures:

• AWS Cognito Misconfiguration: User registration was not disabled, allowing anyone to create an account without administrative approval. This expanded the attack surface unnecessarily.
• Email Verification Bypass: An alternative registration endpoint allowed attackers to bypass email verification, with credentials sent in plaintext to unverified addresses.
• GraphQL Introspection Enabled: Attackers could enumerate the entire API schema, revealing sensitive operations.
• createToken Mutation: The GraphQL mutation createToken accepted parameters that allowed privilege escalation. Critically, it lacked authorization checks, so any authenticated user could request an administrative token.
• Hardcoded and Default Credentials: Passwords were found hardcoded in HTML, and drive-thru tablets used the default password 'admin'.

Exploitation Flow:

1. Register a user account via the open Cognito endpoint or the email verification bypass.
2. Use GraphQL introspection to discover the createToken mutation and its parameters.
3. Authenticate and invoke createToken, requesting administrative privileges.
4. Use the returned token for unrestricted access to employee data, drive-thru audio, store management, and equipment ordering across all RBI brands.

Root Cause:

• Failure to restrict user registration in AWS Cognito.
• Absence of email verification enforcement.
• Exposed GraphQL introspection in production.
• Lack of authorization logic in the createToken mutation.
• Poor credential management (hardcoded and default passwords).

No public code snippets are available. All technical details are sourced from public disclosures and archived research.

Affected Systems and Versions

• Products: RBI assistant platform for Burger King, Tim Hortons, and Popeyes
• Version: All versions through 2025-09-06
• Vulnerable Configurations:
  • AWS Cognito with public user registration enabled
  • GraphQL API with introspection enabled
  • createToken mutation lacking authorization checks
  • Email verification not enforced
  • Hardcoded or default credentials present

Vendor Security History

• RBI has previously faced issues with exposed credentials and configuration weaknesses (see Cybernews 2023 report).
• The company remediated this vulnerability within a day of disclosure but responded to researchers with legal threats, not public recognition.
• Security maturity is questioned due to repeated basic security failures and negative response to responsible disclosure.

References

• NVD Entry for CVE-2025-62645
• BobDaHacker Blog (archived)
• Malwarebytes Analysis
• Security Magazine Discussion
• Tom's Hardware Coverage
• Techzine Report
• CWE-266: Incorrect Privilege Assignment