CVE-2025-65843
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-65843, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-03

Last updated on: 2025-12-18

Assigner: MITRE

Description

Aquarius Desktop 3.0.069 for macOS contains an insecure file handling vulnerability in its support data archive generation feature. The application follows symbolic links placed inside the ~/Library/Logs/Aquarius directory and treats them as regular files. When building the support ZIP, Aquarius recursively enumerates logs using a JUCE directory iterator configured to follow symlinks, and later writes file data without validating whether the target is a symbolic link. A local attacker can exploit this behavior by planting symlinks to arbitrary filesystem locations, resulting in unauthorized disclosure or modification of arbitrary files. When chained with the associated HelperTool privilege escalation issue, root-owned files may also be exposed.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-03
Last Modified
2025-12-18
Generated
2026-07-06
AI Q&A
2025-12-03
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
acustica-audio aquarius 3.0.069
acustica_audio aquarius_desktop 3.0.069

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Aquarius Desktop 3.0.069 for macOS has a vulnerability in its support data archive generation feature where it follows symbolic links inside the ~/Library/Logs/Aquarius directory as if they were regular files. This means that when the application builds the support ZIP file, it recursively enumerates logs and writes file data without checking if the files are actually symbolic links. A local attacker can exploit this by placing symlinks to arbitrary filesystem locations, potentially causing unauthorized disclosure or modification of files. If combined with a related privilege escalation issue, even root-owned files could be exposed.

Impact Analysis

This vulnerability can lead to unauthorized disclosure or modification of arbitrary files on the affected system. A local attacker could exploit it to access sensitive information or alter files they should not have access to. If combined with a privilege escalation vulnerability, it could expose even root-owned files, significantly increasing the risk and impact.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65843. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart