CVE-2025-59099
Unknown Unknown - Not Provided
Path Traversal and DoS in CompactWebServer Access Manager

Publication date: 2026-01-26

Last updated on: 2026-01-26

Assigner: SEC Consult Vulnerability Lab

Description
The Access Manager is using the open source web server CompactWebServer written in C#. This web server is affected by a path traversal vulnerability, which allows an attacker to directly access files via simple GET requests without prior authentication. Hence, it is possible to retrieve all files stored on the file system, including the SQLite database Database.sq3, containing badge information and the corresponding PIN codes. Additionally, when trying to access certain files, the web server crashes and becomes unreachable for about 60 seconds. This can be abused to continuously send the request and cause denial of service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-01-26
Generated
2026-06-16
AI Q&A
2026-01-26
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59099
EUVD
EUVD-2025-206363
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
unknown_vendor compactwebserver *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-35 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a path traversal issue in the CompactWebServer used by the Access Manager. It allows an attacker to access files on the server's file system directly through simple GET requests without needing to authenticate first. This means sensitive files, including a SQLite database containing badge information and PIN codes, can be retrieved by an attacker. Additionally, attempting to access certain files causes the web server to crash and become unreachable for about 60 seconds, which can be exploited to cause a denial of service.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive information, such as badge data and PIN codes stored in the SQLite database. It also allows attackers to cause denial of service by crashing the web server repeatedly, making the service unavailable for periods of time.

Detection Guidance

Detection can be performed by monitoring for unauthorized GET requests attempting path traversal patterns, such as requests containing '../' sequences targeting sensitive files like Database.sq3. Additionally, observing repeated crashes or unavailability of the web server for about 60 seconds after certain file access attempts may indicate exploitation attempts. Specific commands are not provided in the available information.

Mitigation Strategies

Immediate mitigation steps include restricting access to the CompactWebServer to trusted networks, implementing network-level controls to block suspicious GET requests with path traversal patterns, and monitoring for denial of service attempts caused by repeated access to certain files. Applying patches or updates from the vendor once available is also recommended. Specific mitigation commands or patches are not provided in the available information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59099. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart