CVE-2025-36857 is a vulnerability identified in Rapid7 Appspider Pro versions prior to 7.5.021. The issue arises from incorrect default permissions related to the application's configuration file loading mechanism. Specifically, the vulnerability is a broken access control flaw (CWE-276) that allows standard users to place custom configuration files into directories belonging to other users or projects. The application loads configuration files in alphabetical order, which means that an attacker can craft and insert malicious or altered configuration files that override or modify the settings of legitimate configuration files. This improper directory access management can lead to unauthorized changes in application behavior or settings. The vulnerability does not allow direct compromise of confidentiality or availability but impacts integrity by enabling unauthorized modification of configuration files. The flaw requires local access with standard user privileges (AV:L, PR:L) and does not require user interaction (UI:N). The CVSS v3.1 base score is 3.3, indicating a low severity level. The vulnerability was addressed and remediated in version 7.5.021 of Appspider Pro. There are no known exploits in the wild at this time.

For European organizations using vulnerable versions of Rapid7 Appspider Pro, this vulnerability could allow malicious insiders or compromised standard user accounts to alter application configurations improperly. While the impact on confidentiality and availability is minimal, the integrity of the scanning or security assessment process could be undermined. This could lead to inaccurate vulnerability assessments or bypassing of security controls configured via these files. In regulated industries or organizations relying heavily on Appspider Pro for security validation, such integrity compromises could result in compliance issues or delayed detection of real threats. However, since exploitation requires local access with standard privileges and no remote exploitation vector is indicated, the risk is primarily internal or limited to users with some system access.

European organizations should ensure that all instances of Rapid7 Appspider Pro are updated to version 7.5.021 or later, where this vulnerability has been fixed. Additionally, organizations should enforce strict file system permissions on directories used by Appspider Pro to prevent unauthorized users from placing or modifying configuration files outside their own scope. Implementing monitoring and alerting on changes to configuration directories can help detect unauthorized modifications. Limiting the number of users with local access to systems running Appspider Pro and applying the principle of least privilege will reduce the risk of exploitation. Regular audits of user permissions and configuration file integrity checks can further mitigate risks. Finally, organizations should consider isolating Appspider Pro environments to trusted users only and use endpoint security controls to prevent unauthorized file writes.