CVE-2025-66956

Critical

Published: 11 March 2026

Published

11 March 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0012 31.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Insecure Access Control in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote attackers to access and execute attachments via a computable URL.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access to information and system resources, directly addressing the insecure access control that allows remote attackers to access attachments via computable URLs.

AC-24 Access Control Decisions partial match

prevent

Authorizes access to system resources based on access control decisions, mitigating the bypass of restrictions through computable URLs in the affected components.

AC-6 Least Privilege partial match

prevent

Employs least privilege to restrict low-privilege accounts from enabling unauthorized access and execution of attachments over the network.

Security SummaryAI

CVE-2025-66956 is an insecure access control vulnerability (CWE-284) in the Contact Plan, E-Mail, SMS, and Fax components of Asseco SEE Live 2.0. Published on 2026-03-11T21:16:13.037, it carries a CVSS v3.1 base score of 9.9 (Critical), indicating severe risk due to its network accessibility, low complexity, and broad impact potential. The issue enables remote attackers to access and execute attachments through a computable URL, bypassing intended restrictions.

Attackers require only low privileges (PR:L) to exploit the vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation leads to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a change in scope (S:C), allowing unauthorized access and execution of attachments that could facilitate further compromise, such as code execution or data exfiltration.

Mitigation guidance and additional details are available in vendor advisories and resources, including http://asseco.com, https://github.com/TheWoodenBench/CVE-2025-66956, and https://live.asee.io/. Security practitioners should consult these references for patching instructions and workarounds specific to Asseco SEE Live 2.0 deployments.

Details

CWE(s): CWE-284

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Insecure access control in network-accessible components allows remote low-privileged attackers to access and execute attachments via crafted URLs, enabling exploitation of a public-facing application for potential full system compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

http://asseco.com
cve@mitre.org
https://github.com/TheWoodenBench/CVE-2025-66956
cve@mitre.org
https://live.asee.io/
cve@mitre.org