CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionNVD
A flaw has been found in Sistemas Pleno Gestão de Locação up to 2025.7.x. The impacted element is an unknown function of the file /api/areacliente/pessoa/validarCpf of the component CPF Handler. Executing a manipulation of the argument pes_cpf can lead to authorization bypass. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 2025.8.0 is sufficient to resolve this issue. It is advisable to upgrade the affected component.
AnalysisAI
Sistemas Pleno Gestão de Locação versions up to 2025.7.x contain an authorization bypass vulnerability in the CPF validation endpoint (/api/areacliente/pessoa/validarCpf) that allows remote, unauthenticated attackers to manipulate the pes_cpf parameter and bypass access controls. The vulnerability has a CVSS score of 5.5 (moderate) but carries a very low EPSS exploitation probability of 0.04% (11th percentile), suggesting limited real-world attack likelihood despite publicly available exploit code. Upgrading to version 2025.8.0 resolves the issue.
Technical ContextAI
The vulnerability exists in the CPF Handler component of Sistemas Pleno, a Brazilian property management and lease administration platform. CPF (Cadastro de Pessoas Físicas) is the Brazilian individual taxpayer registry number, typically 11 digits. The flaw is categorized under CWE-285 (Improper Authorization), which indicates the application fails to properly validate or enforce access control decisions based on user credentials or roles. The vulnerable endpoint /api/areacliente/pessoa/validarCpf accepts a pes_cpf parameter that is not adequately sanitized or validated before use in authorization decisions. The weakness allows attackers to supply crafted CPF values to bypass intended access restrictions, potentially granting unauthorized access to client account information or functionality tied to CPF-based identity verification.
Affected ProductsAI
Sistemas Pleno Gestão de Locação versions up to and including 2025.7.x are affected by this authorization bypass vulnerability. The flaw has been confirmed in the CPF Handler component of the application's client area API. Specific CPE identifiers for this product were not provided in the available intelligence sources. The vendor has released a patched version (2025.8.0) that resolves this issue. Additional technical details and proof-of-concept information are available in the public repository at https://github.com/lfparizzi/CVE-Sistemas_Pleno and through the VulDB advisory at https://vuldb.com/?id.325817.
RemediationAI
Upgrade Sistemas Pleno Gestão de Locação to version 2025.8.0 or later, which contains the vendor-released patch that resolves the authorization bypass. The patch should be deployed as soon as feasible within your change management process. If an immediate upgrade is not possible, implement network-level controls to restrict access to the affected /api/areacliente/pessoa/validarCpf endpoint to trusted internal networks or enforce rate limiting on this API endpoint to reduce the practical attack surface. Additionally, review access logs for the CPF validation endpoint to identify any signs of exploitation attempts, and consider implementing Web Application Firewall (WAF) rules to detect and block abnormal pes_cpf parameter values. For further details and vendor advisories, consult https://vuldb.com/?id.325817.
Share
External POC / Exploit Code
Leaving vuln.today