CVE-2025-66956
Received Received - Intake
Insecure Access Control in Asseco SEE Live 2.0 Enables Remote Execution

Publication date: 2026-03-11

Last updated on: 2026-03-13

Assigner: MITRE

Description
Insecure Access Control in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote attackers to access and execute attachments via a computable URL.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-14
NVD
CVE-2025-66956
EUVD
EUVD-2025-208597
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
asseco see_live 2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-66956 is an insecure access control vulnerability found in the Contact Plan, E-Mail, SMS, and Fax components of Asseco SEE Live 2.0. It allows remote attackers to access and execute file attachments by using a computable URL.

When a file is sent as an attachment or received via email and displayed in the application, the system automatically downloads the attachment to the host. Attackers can compute the MD5 hash of the file and then access it directly through a URL structured with the date and the MD5 hash of the file, enabling them to execute the attachment remotely.

Impact Analysis

This vulnerability has a critical impact on confidentiality, integrity, and availability of the affected system. Remote attackers can execute attachments without user interaction, potentially leading to unauthorized code execution, data breaches, and system compromise.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for accessible URLs that follow the pattern used by the vulnerable Asseco SEE Live 2.0 application to serve attachments. Specifically, attackers can compute the MD5 hash of a file and attempt to access it via a URL structured as: https://[host]/live20files/emailFiles/private/[date_in_format_YYYY-MM-DD]/[MD5_hash_of_file].[file_extension].'}, {'type': 'paragraph', 'content': 'To detect this on your system or network, you can scan web server logs or use network monitoring tools to identify requests matching this URL pattern.'}, {'type': 'paragraph', 'content': 'Suggested commands might include using curl or wget to test access to such URLs if you have known attachment files and their hashes. For example:'}, {'type': 'list_item', 'content': 'curl -I https://[host]/live20files/emailFiles/private/2025-11-20/1f5534acb23426d83b5f7d2fd12c1b0d.php'}, {'type': 'list_item', 'content': 'wget --spider https://[host]/live20files/emailFiles/private/2025-11-20/1f5534acb23426d83b5f7d2fd12c1b0d.php'}, {'type': 'paragraph', 'content': 'Additionally, you can search your web server access logs for requests matching the pattern "/live20files/emailFiles/private/" to identify potential exploitation attempts.'}] [2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the URL paths serving attachments to authorized users only, implementing proper access control checks on these resources, and disabling direct access to attachment files via predictable URLs.

Additionally, reviewing and updating the application to fix the insecure access control vulnerability is critical. Until a patch is applied, consider blocking or filtering requests to the vulnerable URL patterns at the web server or firewall level.

Monitoring logs for suspicious access attempts and educating users about the risks of opening attachments from untrusted sources can also help reduce exploitation risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66956. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart