External risk intelligence

Restajet Online Food Delivery System Password Recovery Exploitation.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2025-1928

A critical vulnerability in the Restajet Online Food Delivery System allows unauthorized account access by exploiting excessive authentication attempts during password recovery. The system is publicly accessible and can be targeted remotely by unauthenticated attackers, potentially leading to the compromise of sensitiv

5Halo Surface Signal

Restajet Online Food Delivery System

External exposure likelihood

Halo Surface Signal score for CVE-2025-1928

The product is an Online Food Delivery System, which by design requires public-facing web interfaces to allow customers to browse menus, place orders, and manage accounts, making it inherently internet-accessible.

PCI scan relevance

PCI Relevance for CVE-2025-1928

Yes

CVE-2025-1928 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability, related to excessive authentication attempts and password recovery exploitation in the Restajet Online Food Delivery System, is PCI scan-relevant because it could lead to an automatic failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the Restajet Information Technologies Inc. Online Food Delivery System could allow unauthorized access to user accounts through exploitation of excessive authentication attempts, potentially impacting password recovery functions. This critical issue affects the system through December 19, 2025, and has been disclosed to the vendor with no response.

Allows unauthorized account access.
Critical vulnerability in a public-facing system.
Confirm relevance and potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker could remotely target the online food delivery system without needing any initial access or authentication. By repeatedly attempting to recover a user's password, an attacker could potentially gain unauthorized access to user accounts, leading to a compromise of sensitive information and the ability to manipulate orders. The vendor has not responded to inquiries about this vulnerability.

No authentication required for access.
Exploits password recovery feature.
Leads to account takeover and data compromise.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to bypass authentication and gain unauthorized access to the online food delivery system, potentially affecting user account information and the system's overall integrity. The system allows for password recovery exploitation, which could be leveraged to compromise accounts when conditions support it.

User account data could be compromised.
Unauthorized access via password recovery.
Compromised user accounts and system access.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The vendor for the Restajet Online Food Delivery System has not responded to inquiries regarding this vulnerability. The system's public-facing nature, due to its function, suggests it is likely internet-accessible and could be targeted by unauthenticated attackers. The first practical move is to identify all instances of the affected system, assess their exposure and business criticality, and then determine the accountable owner for remediation.

System owners and vendor management should lead.
Verify public-facing exposure and business impact.
Coordinate vendor outreach and plan remediation.

Frequently asked questions

What is the Restajet Online Food Delivery System?

The Restajet Online Food Delivery System is a software designed for managing food orders and deliveries online. People use it to browse menus, place orders, and handle customer accounts, making it a crucial part of a food service business's online presence.

How does CVE-2025-1928 affect the delivery system?

CVE-2025-1928 is an Improper Restriction of Excessive Authentication Attempts vulnerability. It means an attacker could try guessing or manipulating password recovery attempts too many times without being stopped, potentially exploiting this weakness to gain unauthorized access to user accounts.

What are the attacker's preconditions to exploit this vulnerability?

An attacker does not need any initial access or authentication to target this vulnerability. They can remotely attack the online food delivery system by repeatedly attempting to recover a user's password, which could lead to unauthorized account access without triggering defenses.

Who should care about this vulnerability in the Restajet system?

Anyone running the Restajet Online Food Delivery System should care, especially if it is internet-facing. The Halo Surface Signal indicates this type of system is 'Very likely' internet-accessible due to its public-facing web interfaces, meaning external attackers could potentially reach it.

What are the first steps for running this technology?

If you are running the Restajet Online Food Delivery System, the first step is to identify all instances of the software. Then, assess their potential exposure to the internet and their business importance, and figure out who is responsible for fixing the issue.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.