CVE-2025-60949 Census CVE debrief

Who should care

System administrators and security teams using Census CSWeb, especially those with deployments that may expose 'app/config' via HTTP, should be aware of this vulnerability. Immediate action is recommended to prevent potential exploitation. Updating to version 8.1.0 alpha or later is crucial.

Technical summary

The vulnerability in Census CSWeb 8.0.1 arises from the accessibility of 'app/config' via HTTP in some deployments. An unauthenticated remote attacker can exploit this by sending requests to configuration files, potentially obtaining leaked secrets. The issue is resolved in version 8.1.0 alpha. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, reflecting a high impact on confidentiality and integrity.

Defensive priority

High priority should be given to updating Census CSWeb to version 8.1.0 alpha or later. In the meantime, restricting access to 'app/config' and monitoring for suspicious activity are recommended defensive measures.

Recommended defensive actions

• Update Census CSWeb to version 8.1.0 alpha or later immediately.
• Restrict access to 'app/config' via HTTP in deployments where feasible.
• Monitor for suspicious requests to configuration files.
• Review and adjust network configurations to prevent exposure of 'app/config'.
• Consider compensating controls such as web application firewalls.

Evidence notes

The source item provided by CISA (cisa_csaf) details the vulnerability and its fix. Additional references include the CVE record and NVD detail pages. The information indicates a high severity vulnerability that requires prompt action.

Official resources