CVE-2025-68462
Unknown Unknown - Not Provided
Improper Permissions in Freedombox Backups Allow Data Exposure

Publication date: 2025-12-18

Last updated on: 2025-12-18

Assigner: MITRE

Description
Freedombox before 25.17.1 does not set proper permissions for the backups-data directory, allowing the reading of dump files of databases.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-14
NVD
CVE-2025-68462
EUVD
EUVD-2025-204034
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freedombox freedombox *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Freedombox before version 25.17.1 involves improper permissions set on the backups-data directory. Because of this, unauthorized users can read dump files of databases stored in that directory, potentially exposing sensitive data. [1]

Impact Analysis

The vulnerability allows unauthorized reading of database dump files, which can lead to exposure of sensitive or confidential information contained in those backups. This could compromise data privacy and security, especially if the backups contain personal or critical data. [1]

Detection Guidance

You can detect this vulnerability by checking the permissions of the backups-data directory. If the directory permissions allow non-root users to read dump files of databases, the system is vulnerable. A suggested command to check permissions is: ls -ld /path/to/backups-data. Additionally, verifying ownership and permissions of files inside the directory can be done with: ls -l /path/to/backups-data. If permissions are too permissive (not restricted to root), the vulnerability exists. [1]

Mitigation Strategies

To mitigate this vulnerability immediately, update FreedomBox to version 25.17.1 or later where the fix is applied. Alternatively, you can re-run the backups app setup to reset the backups-data directory permissions to be accessible only by root users. Ensuring that the backups-data directory is created and managed exclusively by the 'backups' application will also help secure the directory. Restarting the service after applying these changes is recommended to enforce correct permissions and ownership. [1]

Compliance Impact

This vulnerability allows unauthorized reading of database dump files due to improper permissions on the backups-data directory, potentially exposing sensitive data. Such exposure could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68462. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart