CVE-2025-26137
Published: 18 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26137, published on 2025-03-18, affects Systemic Risk Value versions <=2.8.0 and involves a Local File Inclusion vulnerability via the /GetFile.aspx?ReportUrl= endpoint. Classified under CWE-98, it allows an unauthenticated attacker to read arbitrary system files by supplying a crafted file path in the ReportUrl parameter. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility, low attack complexity, and no privileges or user interaction required.
An unauthenticated attacker can exploit this issue remotely by sending a malicious request to the vulnerable endpoint, traversing the file system to access sensitive files such as configuration data, logs, or other system resources. Successful exploitation could lead to the disclosure of sensitive information, enabling further reconnaissance or attacks depending on the exposed data.
Further details, including potential proof-of-concept code, are available in the GitHub repository at https://github.com/Arakiba/CVEs/tree/main/CVE-2025-26137. No vendor-specific patches or mitigation guidance are detailed in the provided information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
LFI vulnerability enables unauthenticated arbitrary file reads on the server, facilitating data collection from local system (T1005), discovery of credentials in files (T1081), file and directory discovery (T1083), and exploitation of public-facing web applications (T1190).