CVE-2025-66723
Unknown Unknown - Not Provided
Insecure Permissions in inMusic Engine DJ 4.3.0 Exposes Files

Publication date: 2025-12-30

Last updated on: 2025-12-30

Assigner: MITRE

Description
inMusic Brands Engine DJ 4.3.0 suffers from Insecure Permissions due to exposed HTTP service in the Remote Library, which allows attackers to access all files and network paths.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-30
Last Modified
2025-12-30
Generated
2026-06-16
AI Q&A
2025-12-30
EPSS Evaluated
2026-06-14
NVD
CVE-2025-66723
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
inmusic engine_dj 4.3.4
inmusic engine_dj 4.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-66723 is a vulnerability in inMusic Brands Engine DJ software versions 3.0.0 up to before 4.3.4. It arises from an embedded HTTP server that serves media library files over the network without any authentication or authorization controls. Attackers with network access can request arbitrary files on the local filesystem or accessible network shares by specifying file paths in HTTP GET requests. This allows unauthorized access to sensitive files such as private keys or environment files. The vulnerability is due to insecure permissions and missing authorization in the HTTP service of the Remote Library component. [2]

Impact Analysis

This vulnerability can allow an attacker with network access to the affected system to exfiltrate arbitrary files accessible by the Engine DJ process user without any authentication. This could lead to exposure of sensitive information such as private SSH keys, environment configuration files, or confidential data stored on network shares. Such unauthorized file access can compromise system security and privacy. [2]

Detection Guidance

Detection is challenging because the vulnerable HTTP server does not identify itself and network behavior is similar between vulnerable and patched versions. The only way to confirm the vulnerability is by attempting to request a known existing file via HTTP GET on port 50020. For example, you can use a command like: curl "http://<target-ip>:50020/download/<C:/path/to/knownfile>" and check if the file content is returned without authentication. If the file is accessible, the system is vulnerable. [2]

Mitigation Strategies

Users should immediately upgrade Engine DJ to version 4.3.4 or later, which implements a whitelist restricting downloadable files to those within the media library and returns HTTP 403 Forbidden for unauthorized file requests. This update prevents unauthorized file access while still allowing media file downloads without authentication. [2]

Compliance Impact

The vulnerability allows unauthorized access to arbitrary local or network files without authentication, potentially exposing sensitive personal or protected information. This exposure could lead to non-compliance with data protection regulations such as GDPR or HIPAA, which require strict controls on access to personal and sensitive data. Therefore, organizations using affected versions of Engine DJ may face compliance risks until they apply the mitigation in version 4.3.4 or later. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66723. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart