{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-66955", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-14T03:32:45.511Z", "dateReserved": "2025-12-08T00:00:00.000Z", "datePublished": "2026-03-12T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-13T15:08:53.120Z"}, "descriptions": [{"lang": "en", "value": "Local File Inclusion in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote authenticated users to access files on the host via \"path\" parameter in the downloadAttachment and downloadAttachmentFromPath API calls."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://asseco.com"}, {"url": "https://github.com/TheWoodenBench/CVE-2025-66955"}, {"url": "https://live.asee.io/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-14T03:31:56.868610Z", "id": "CVE-2025-66955", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-14T03:32:45.511Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-66955", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-14T03:31:56.868610Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-14T03:32:28.009Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "http://asseco.com"}, {"url": "https://github.com/TheWoodenBench/CVE-2025-66955"}, {"url": "https://live.asee.io/"}], "descriptions": [{"lang": "en", "value": "Local File Inclusion in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote authenticated users to access files on the host via \"path\" parameter in the downloadAttachment and downloadAttachmentFromPath API calls."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-13T15:08:53.120Z"}}}, "cveMetadata": {"cveId": "CVE-2025-66955", "state": "PUBLISHED", "dateUpdated": "2026-03-14T03:32:45.511Z", "dateReserved": "2025-12-08T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-12T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Local File Inclusion in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote authenticated users to access files on the host via \"path\" parameter in the downloadAttachment and downloadAttachmentFromPath API calls."}, {"lang": "es", "value": "Inclusi\u00f3n local de ficheros en los componentes Contact Plan, E-Mail, SMS y Fax en Asseco SEE Live 2.0 permite a usuarios autenticados remotos acceder a ficheros en el host a trav\u00e9s del par\u00e1metro 'path' en las llamadas a la API downloadAttachment y downloadAttachmentFromPath."}], "id": "CVE-2025-66955", "lastModified": "2026-03-16T14:18:00.287", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-12T19:16:15.077", "references": [{"source": "cve@mitre.org", "url": "http://asseco.com"}, {"source": "cve@mitre.org", "url": "https://github.com/TheWoodenBench/CVE-2025-66955"}, {"source": "cve@mitre.org", "url": "https://live.asee.io/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.0]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "see_live", "vendor": "asseco"}], "analysis": {"en": {"generated_at": "2026-03-18T14:48:13.625755+00:00", "value": {"mitigation_remediation": ["Check the Asseco website or release notes for an official patch or newer version and apply it immediately.", "If a patch is not yet available, limit or disable the downloadAttachment and downloadAttachmentFromPath API endpoints for non\u2011essential users or revoke unnecessary credentials so that authenticated access is restricted.", "Monitor system logs for suspicious file download activity and consider implementing a Web Application Firewall rule to block path traversal patterns."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure via Local File Inclusion"}, "threat_synthesis": {"affected_systems": "The affected product is Asseco SEE Live 2.0. No specific affected version range is listed in the CNA documentation, and the known affected versions field is empty. Thus, all installations of version 2.0 are potentially vulnerable unless a later, patched release has been deployed.", "description_and_impact": "The vulnerability is a Local File Inclusion flaw in the Contact Plan, E\u2011Mail, SMS, and Fax components of Asseco SEE Live 2.0. Authenticated users can use the \"path\" parameter in the downloadAttachment and downloadAttachmentFromPath API calls to download arbitrary files from the host. This allows the attacker to read sensitive files such as configuration files, logs, or credentials, thereby compromising confidentiality and potentially exposing further information that could be used for additional attacks.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity assessment, while the EPSS score of less than 1% suggests a low exploit probability at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires legitimate authentication to the API and manipulation of the \"path\" parameter; no additional privileges are required, so any user with access can read files within the process's permissions. The risk primarily stems from data exposure rather than immediate remote code execution."}}}}, "created": "2026-03-13T09:53:51.351624+00:00", "title": "Local File Inclusion in Asseco SEE Live 2.0 Allows Authenticated Users to Read Arbitrary Host Files", "updated": "2026-03-20T15:36:35.940694+00:00", "vendors": ["asseco", "asseco$PRODUCT$see_live"], "weaknesses": ["CWE-22", "CWE-200"]}