CVE-2025-59709
Directory Traversal in Biztalk360 Allows Unauthorized File Access
Publication date: 2026-04-03
Last updated on: 2026-04-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kovai | biztalk360 | to 11.6.3963.2611 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in BizTalk360 allows authenticated domain users to read arbitrary files on the server and execute arbitrary code with high privileges. This can lead to unauthorized access to sensitive data and system compromise.
Such unauthorized access and potential data breaches can violate common compliance standards and regulations like GDPR and HIPAA, which require strict controls on access to sensitive personal and health information, as well as ensuring data confidentiality and integrity.
Because the vulnerability enables attackers to read any file and execute code with administrative privileges, it increases the risk of exposure of regulated data and failure to maintain required security controls, thereby negatively impacting compliance with these standards.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading BizTalk360 to version 11.6.3963.2611 or later, which contains fixes for this vulnerability.
Additionally, restrict IIS authentication to a specific authorized group by configuring IIS URL Authorization rules or editing the `web.config` file to limit access to trusted domain groups.
Review and harden access control enforcement on all WCF service endpoints to prevent unauthorized access.
Validate and sanitize all user inputs used in file path construction to prevent path traversal attacks.
Restrict file upload functionality and implement strict validation and authorization checks to prevent arbitrary DLL uploads.
Can you explain this vulnerability to me?
CVE-2025-59709 is a vulnerability in BizTalk360, a middleware management tool for Microsoft BizTalk Servers. It arises from improper handling of user-provided input in file paths, specifically in the DownloadAttachment method of the AdminBusinessService. This flaw allows an authenticated administrator to specify an absolute file path without sufficient validation, enabling them to read arbitrary files on the server.
This vulnerability is part of a broader set of security issues in BizTalk360 versions prior to 11.6.3963.2611, including directory traversal and arbitrary DLL loading, which can lead to remote code execution. The core issue is that user input is not sanitized when constructing file paths, allowing attackers to escape intended directories and access or manipulate files outside the allowed scope.
How can this vulnerability impact me? :
This vulnerability can have severe impacts on affected systems. An attacker with authenticated administrator access can read any file on the BizTalk360 server by specifying arbitrary file paths, potentially exposing sensitive information.
Moreover, when combined with related vulnerabilities in BizTalk360, such as arbitrary DLL upload and loading, an attacker can execute arbitrary code with high privileges. The BizTalk360 service runs under a highly privileged account with local administrator rights on BizTalk servers and sysadmin privileges on the MS-SQL database, which means a successful exploit can lead to full system compromise.
Additionally, the directory traversal flaw allows writing files anywhere on the file system, including remote shares, which can be used for lateral movement or privilege escalation within the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST HTTP requests to the vulnerable BizTalk360 endpoints, especially the `/biztalk360/Services.REST/AlertService.svc/ValidateNotificationChannel` endpoint.
Specifically, look for requests containing JSON payloads specifying DLL names, which may indicate attempts to exploit the arbitrary DLL load and remote code execution flaws.
On the system, you can check for unexpected DLL files uploaded to the NotificationChannels directory or unusual file read activities involving absolute or UNC paths.
Suggested commands to detect exploitation attempts include:
- Use network monitoring tools (e.g., Wireshark, tcpdump) to filter HTTP POST requests to `/biztalk360/Services.REST/AlertService.svc/ValidateNotificationChannel`.
- On the BizTalk360 server, search for recently uploaded DLL files in the `Download\NotificationChannels\Dll\` directory, e.g., `dir /s /b *NotificationChannels\Dll\*.dll` on Windows.
- Check IIS logs for POST requests to the vulnerable endpoints with suspicious payloads.
- Audit file access logs for reads of arbitrary or absolute paths, especially those outside expected directories.