Unrated severityNVD Advisory· Published Oct 17, 2025· Updated Oct 29, 2025

CVE-2025-62647

Description

The Restaurant Brands International (RBI) assistant platform through 2025-09-06 provides the functionality of returning a JWT that can be used to call an API to return a signed AWS upload URL, for any store's path.

Affected products

Restaurant Brands International/RBI assistant platformllm-fuzzy
Range: <= 2025-09-06
Restaurant Brands International/assistant platformv5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

archive.today/fMYQpmitre
bobdahacker.com/blog/rbi-hacked-drive-thrus/mitre
web.archive.org/web/20250906134240/https:/bobdahacker.com/blog/rbi-hacked-drive-thrusmitre
www.malwarebytes.com/blog/news/2025/09/popeyes-tim-hortons-burger-king-platforms-have-catastrophic-vulnerabilities-say-hackersmitre
www.yahoo.com/news/articles/burger-king-hacked-attackers-impressed-124154038.htmlmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000