CVE-2025-48480 is a high-severity vulnerability affecting FreeScout, a free self-hosted help desk and shared mailbox application. The flaw exists in versions prior to 1.8.180 and involves improper enforcement of behavioral workflow (CWE-841). Specifically, an authorized user with administrator privileges or the User::PERM_EDIT_USERS privilege can exploit the user creation and avatar management functionality to delete arbitrary files. During user creation, the attacker can specify a path traversal payload (../.htaccess) as the user's avatar path. Subsequently, by deleting the user's avatar, the attacker causes the deletion of the .htaccess file located in the /storage/app/public directory. The .htaccess file is critical for web server configuration, controlling access rules and security settings. Its deletion could lead to unintended exposure of sensitive files or directories, weakening the web server's security posture. The vulnerability requires no user interaction and no authentication beyond having elevated privileges, which means it is exploitable by insiders or compromised administrator accounts. The CVSS 4.0 score is 7.0 (high), reflecting network attack vector, low attack complexity, no user interaction, and high impact on confidentiality due to potential exposure of sensitive data via misconfigured web server behavior. This vulnerability has been patched in FreeScout version 1.8.180. There are no known exploits in the wild at this time.

For European organizations using FreeScout versions prior to 1.8.180, this vulnerability poses a significant risk. The deletion of the .htaccess file could lead to unauthorized access to sensitive directories or files within the help desk application environment, potentially exposing customer data, internal communications, or configuration files. This could result in confidentiality breaches and undermine the integrity of the help desk system. Additionally, the loss of .htaccess protections might allow attackers or malicious insiders to execute further attacks such as directory listing, unauthorized file uploads, or code execution depending on server configuration. Given that FreeScout is often used by small to medium enterprises and public sector organizations for customer support, exploitation could disrupt critical support operations and damage organizational reputation. The requirement for elevated privileges limits exploitation to insiders or compromised administrator accounts, but insider threats or privilege escalation scenarios are common attack vectors. Therefore, the impact on confidentiality and operational continuity is considerable for affected European entities.

European organizations should immediately upgrade FreeScout to version 1.8.180 or later to apply the official patch that addresses this vulnerability. Until the upgrade is performed, organizations should restrict administrator and User::PERM_EDIT_USERS privileges to trusted personnel only and monitor for suspicious user creation or avatar modification activities. Implement strict access controls and audit logging around user management functions to detect potential abuse. Additionally, organizations should verify the integrity of the .htaccess file in the /storage/app/public directory and restore it from backups if deleted. Harden the web server configuration to minimize reliance on .htaccess files where possible, for example by moving critical access controls to the main server configuration files. Conduct regular security reviews of help desk systems and ensure that privilege assignments follow the principle of least privilege. Finally, consider implementing file integrity monitoring solutions to alert on unauthorized changes or deletions of critical configuration files like .htaccess.