CVE-2025-6240
BaseFortify
Publication date: 2025-06-18
Last updated on: 2026-04-29
Assigner: Profisee
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-6240 is a Path Traversal vulnerability in the Profisee Platform's File Attachment service on Windows. It occurs because user input is not properly sanitized, allowing an authenticated attacker with valid credentials to craft malicious payloads containing directory traversal sequences (like ../). This can lead to unauthorized access to sensitive files such as configuration and system files, and potentially allow modification of these files, compromising the system. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker who has authenticated access to the Profisee system to access and potentially modify sensitive files on the system that should be protected. This could lead to system compromise, unauthorized disclosure of sensitive information, and disruption of normal operations. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves verifying if your Profisee installation is within the affected versions (2020R1 through 2024R2) and checking for signs of exploitation attempts involving path traversal sequences such as '../' in file attachment requests. Since the vulnerability requires authentication and crafted payloads, monitoring logs for unusual file access patterns or directory traversal strings in requests to the File Attachment service is recommended. Specific commands are not provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the official hotfixes or updates provided by Profisee. The fix is included in the 25R0 release and back-ported hotfixes are available for all supported versions and the out-of-support 22R2 version. SaaS customers will receive automatic deployment during maintenance windows but can request earlier deployment if needed. Self-hosted customers should obtain hotfix files from the Profisee support portal or updated container images from the Profisee container registry and follow the provided documentation to apply the fixes. [1]