PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-66955 Asseco CVE debrief

CVE-2025-66955 is a medium-severity local file inclusion issue affecting the Contact Plan, E-Mail, SMS, and Fax components in Asseco SEE Live 2.0. The issue is described as exposure through the path parameter in the downloadAttachment and downloadAttachmentFromPath API calls, allowing remote authenticated users to access files on the host. The CVE was published on 2026-03-12 and last modified on 2026-05-12; the supplied NVD record is still marked "Awaiting Analysis."

Vendor
Asseco
Product
Unknown
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-12
Original CVE updated
2026-05-12
Advisory published
2026-03-12
Advisory updated
2026-05-12

Who should care

Security teams, platform administrators, and application owners running Asseco SEE Live 2.0, especially environments where authenticated users can reach attachment-download APIs or where host file exposure would be sensitive.

Technical summary

The supplied description indicates a path-handling flaw in attachment download endpoints. Because the vulnerable calls accept a path parameter, insufficient validation or canonicalization may allow access to unintended files on the host. NVD associates the issue with CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N and CWE-552, which aligns with a file-disclosure style impact rather than integrity or availability loss. The record should be treated as a confirmed vulnerability entry but with limited vendor confidence in the provided corpus.

Defensive priority

Medium

Recommended defensive actions

  • Review whether Asseco SEE Live 2.0 is deployed and whether authenticated users can invoke downloadAttachment or downloadAttachmentFromPath.
  • Apply vendor fixes or mitigations as soon as they are available; monitor the NVD and vendor references for updated guidance.
  • Restrict access to attachment-download functionality to the smallest necessary authenticated user set.
  • Validate and canonicalize file paths server-side, and allow only approved attachment directories or identifiers.
  • Run the service with least-privilege filesystem permissions to reduce the impact of unintended file access.
  • Monitor logs for unusual attachment-download requests and repeated access attempts to unexpected paths.

Evidence notes

This debrief is based only on the supplied CVE/NVD corpus. The record describes local file inclusion in Asseco SEE Live 2.0 components (Contact Plan, E-Mail, SMS, Fax) via the path parameter in downloadAttachment and downloadAttachmentFromPath. The provided NVD metadata lists CVSS 3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N and CWE-552, with vulnStatus shown as "Awaiting Analysis" on the supplied modified date.

Official resources

CVE published on 2026-03-12 and modified on 2026-05-12. The supplied NVD entry was also modified on 2026-05-12 and remains marked "Awaiting Analysis." No KEV entry was provided.