CVE-2025-68462
Improper Permissions in Freedombox Backups Allow Data Exposure
Publication date: 2025-12-18
Last updated on: 2025-12-18
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freedombox | freedombox | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Freedombox before version 25.17.1 involves improper permissions set on the backups-data directory. Because of this, unauthorized users can read dump files of databases stored in that directory, potentially exposing sensitive data. [1]
How can this vulnerability impact me? :
The vulnerability allows unauthorized reading of database dump files, which can lead to exposure of sensitive or confidential information contained in those backups. This could compromise data privacy and security, especially if the backups contain personal or critical data. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking the permissions of the backups-data directory. If the directory permissions allow non-root users to read dump files of databases, the system is vulnerable. A suggested command to check permissions is: ls -ld /path/to/backups-data. Additionally, verifying ownership and permissions of files inside the directory can be done with: ls -l /path/to/backups-data. If permissions are too permissive (not restricted to root), the vulnerability exists. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, update FreedomBox to version 25.17.1 or later where the fix is applied. Alternatively, you can re-run the backups app setup to reset the backups-data directory permissions to be accessible only by root users. Ensuring that the backups-data directory is created and managed exclusively by the 'backups' application will also help secure the directory. Restarting the service after applying these changes is recommended to enforce correct permissions and ownership. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized reading of database dump files due to improper permissions on the backups-data directory, potentially exposing sensitive data. Such exposure could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access. [1]