CVE-2025-54963 is a security vulnerability identified in BAE Systems' SOCET GXP software prior to version 4.6.0.2. SOCET GXP is a geospatial imagery exploitation and analysis tool widely used in defense, intelligence, and government sectors for processing and analyzing geospatial data. The vulnerability arises from improper input validation in the GXP Job Service component, which handles job requests submitted by users or automated processes. Specifically, the software fails to sanitize file path inputs, allowing an attacker to craft job requests containing directory traversal sequences (e.g., '../') that bypass intended file access restrictions. By exploiting this flaw, an attacker with access to the Job Service interface can read arbitrary files on the host filesystem with the privileges of the Job Service process. This can lead to unauthorized disclosure of sensitive information such as configuration files, credentials, or classified data stored on the system. The vulnerability does not require elevated privileges beyond access to the Job Service, but such access is a prerequisite. No authentication bypass or privilege escalation is described, so the attacker must already be able to interact with the Job Service. No user interaction is needed beyond submitting the malicious job request. As of the published date, no public exploits have been reported, and no official patch links are provided, indicating that remediation may still be pending or in progress. The absence of a CVSS score necessitates an independent severity assessment based on the potential impact and exploitability. Overall, this vulnerability represents a significant confidentiality risk in environments where SOCET GXP is deployed, especially given the sensitive nature of the data processed by the software.

For European organizations, particularly those in defense, intelligence, and government sectors that utilize BAE SOCET GXP for geospatial analysis, this vulnerability poses a serious risk of sensitive data exposure. Unauthorized read access to filesystem contents could lead to leakage of classified or proprietary information, undermining operational security and potentially compromising national security interests. The impact is heightened in environments where the Job Service interface is exposed to internal networks with multiple users or insufficient access controls. Confidentiality breaches could also affect contractors and partners handling sensitive geospatial data. Additionally, the exposure of configuration or credential files could facilitate further attacks or lateral movement within networks. While availability and integrity impacts are not directly indicated, the confidentiality breach alone can have severe consequences given the critical nature of the data involved. European organizations with strict data protection regulations (e.g., GDPR) may also face compliance risks if sensitive personal or operational data is exposed. The lack of known exploits in the wild suggests a window of opportunity for proactive mitigation before active exploitation occurs.

1. Restrict access to the GXP Job Service interface to trusted and authenticated users only, ideally through network segmentation and firewall rules limiting access to necessary hosts. 2. Monitor and log all interactions with the Job Service to detect anomalous or unauthorized job submissions that may indicate exploitation attempts. 3. Implement strict input validation and sanitization on any custom integrations or scripts interacting with the Job Service to prevent injection of directory traversal sequences. 4. Apply patches or updates from BAE Systems as soon as they become available to address the vulnerability directly. 5. Conduct regular security assessments and penetration tests focusing on the SOCET GXP environment to identify and remediate potential weaknesses. 6. Educate system administrators and users about the risks associated with the Job Service interface and enforce the principle of least privilege for service accounts. 7. If patching is delayed, consider deploying host-based intrusion detection systems (HIDS) to alert on suspicious file access patterns or unauthorized reads. 8. Review and harden file system permissions to limit the scope of files accessible by the Job Service process, minimizing potential data exposure.