CVE-2025-59709
Received Received - Intake
Directory Traversal in Biztalk360 Allows Unauthorized File Access

Publication date: 2026-04-03

Last updated on: 2026-04-09

Assigner: MITRE

Description
An issue was discovered in Biztalk360 through 11.5. because of mishandling of user-provided input in a path to be read by the server, a Super User attacker is able to read files on the system and/or coerce an authentication from the service, aka Directory Traversal.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-14
NVD
CVE-2025-59709
EUVD
EUVD-2025-209203
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kovai biztalk360 to 11.6.3963.2611 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-59709 is a vulnerability in BizTalk360, a middleware management tool for Microsoft BizTalk Servers. It arises from improper handling of user-provided input in file paths, specifically in the DownloadAttachment method of the AdminBusinessService. This flaw allows an authenticated administrator to specify an absolute file path without sufficient validation, enabling them to read arbitrary files on the server.

This vulnerability is part of a broader set of security issues in BizTalk360 versions prior to 11.6.3963.2611, including directory traversal and arbitrary DLL loading, which can lead to remote code execution. The core issue is that user input is not sanitized when constructing file paths, allowing attackers to escape intended directories and access or manipulate files outside the allowed scope.

Compliance Impact

The vulnerability in BizTalk360 allows authenticated domain users to read arbitrary files on the server and execute arbitrary code with high privileges. This can lead to unauthorized access to sensitive data and system compromise.

Such unauthorized access and potential data breaches can violate common compliance standards and regulations like GDPR and HIPAA, which require strict controls on access to sensitive personal and health information, as well as ensuring data confidentiality and integrity.

Because the vulnerability enables attackers to read any file and execute code with administrative privileges, it increases the risk of exposure of regulated data and failure to maintain required security controls, thereby negatively impacting compliance with these standards.

Mitigation Strategies

Immediate mitigation steps include upgrading BizTalk360 to version 11.6.3963.2611 or later, which contains fixes for this vulnerability.

Additionally, restrict IIS authentication to a specific authorized group by configuring IIS URL Authorization rules or editing the `web.config` file to limit access to trusted domain groups.

Review and harden access control enforcement on all WCF service endpoints to prevent unauthorized access.

Validate and sanitize all user inputs used in file path construction to prevent path traversal attacks.

Restrict file upload functionality and implement strict validation and authorization checks to prevent arbitrary DLL uploads.

Impact Analysis

This vulnerability can have severe impacts on affected systems. An attacker with authenticated administrator access can read any file on the BizTalk360 server by specifying arbitrary file paths, potentially exposing sensitive information.

Moreover, when combined with related vulnerabilities in BizTalk360, such as arbitrary DLL upload and loading, an attacker can execute arbitrary code with high privileges. The BizTalk360 service runs under a highly privileged account with local administrator rights on BizTalk servers and sysadmin privileges on the MS-SQL database, which means a successful exploit can lead to full system compromise.

Additionally, the directory traversal flaw allows writing files anywhere on the file system, including remote shares, which can be used for lateral movement or privilege escalation within the network.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST HTTP requests to the vulnerable BizTalk360 endpoints, especially the `/biztalk360/Services.REST/AlertService.svc/ValidateNotificationChannel` endpoint.

Specifically, look for requests containing JSON payloads specifying DLL names, which may indicate attempts to exploit the arbitrary DLL load and remote code execution flaws.

On the system, you can check for unexpected DLL files uploaded to the NotificationChannels directory or unusual file read activities involving absolute or UNC paths.

Suggested commands to detect exploitation attempts include:

  • Use network monitoring tools (e.g., Wireshark, tcpdump) to filter HTTP POST requests to `/biztalk360/Services.REST/AlertService.svc/ValidateNotificationChannel`.
  • On the BizTalk360 server, search for recently uploaded DLL files in the `Download\NotificationChannels\Dll\` directory, e.g., `dir /s /b *NotificationChannels\Dll\*.dll` on Windows.
  • Check IIS logs for POST requests to the vulnerable endpoints with suspicious payloads.
  • Audit file access logs for reads of arbitrary or absolute paths, especially those outside expected directories.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59709. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart