CVE-2025-2493
Published: 18 March 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-2493, published on 2025-03-18, is a Path Traversal vulnerability (CWE-22) in Softdial Contact Center from Sytel Ltd. The flaw affects the ‘/softdial/scheduler/load.php’ endpoint, where attackers can manipulate the ‘id’ parameter to navigate beyond the intended directory boundaries. This enables unauthorized access to sensitive files outside the expected scope, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact.
The vulnerability is exploitable remotely over the network by any unauthenticated attacker (PR:N) using low-complexity techniques (AC:L) without requiring user interaction (UI:N). Successful exploitation grants high-level (C:H) read access to sensitive files, while leaving integrity (I:N) and availability (A:N) unaffected and scope unchanged (S:U).
The INCIBE-CERT advisory (https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-softdial-contact-center) covers this path traversal issue among multiple vulnerabilities in Softdial Contact Center. Security practitioners should review the notice for recommended mitigations, including any available patches or workarounds.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Path traversal in public-facing web app directly enables T1190 for remote exploitation and facilitates T1005 by allowing unauthorized read access to sensitive local system files.