CVE-2025-60449 is an information disclosure vulnerability identified in SeaCMS version 13.1, specifically within the admin_safe.php component located in the /btcoan/ directory. This vulnerability allows an authenticated administrator user to exploit the system to scan and download not only the source code of the SeaCMS application but also potentially any file accessible from the server's root directory. The flaw arises due to insufficient access controls or improper validation in the admin_safe.php script, which fails to restrict file access to authorized or intended files only. As a result, an attacker with valid administrator credentials can leverage this vulnerability to exfiltrate sensitive files, including configuration files, credentials, private keys, or other critical data stored on the server. Although exploitation requires authentication, the impact is significant because it can lead to exposure of sensitive information that could facilitate further attacks, such as privilege escalation, lateral movement, or full system compromise. No CVSS score has been assigned yet, and there are no known public exploits in the wild at the time of publication. However, the vulnerability poses a serious risk due to the breadth of accessible data and the privileged access required to exploit it.

For European organizations using SeaCMS 13.1, this vulnerability presents a substantial risk to confidentiality and potentially integrity of their web infrastructure. Exposure of source code and server files could reveal business logic, security mechanisms, and sensitive credentials, enabling attackers to craft targeted attacks or pivot within the network. Organizations handling sensitive or regulated data (e.g., personal data under GDPR) could face compliance violations and reputational damage if such data is exposed. The requirement for administrator authentication limits the attack surface to insiders or attackers who have already compromised administrator credentials, but this does not diminish the severity since insider threats and credential theft are common attack vectors. The vulnerability could also facilitate further exploitation, such as deploying malware or ransomware, if attackers gain deeper insight into the system. European entities relying on SeaCMS for content management, especially in sectors like government, finance, healthcare, or critical infrastructure, could be particularly impacted due to the sensitivity of their data and the regulatory environment.

To mitigate this vulnerability, European organizations should immediately audit their SeaCMS installations to identify if version 13.1 is in use and whether the admin_safe.php component is accessible. Since no official patch or update is currently available, organizations should implement the following specific measures: 1) Restrict access to the /btcoan/ directory and admin_safe.php script using web server configuration (e.g., IP whitelisting, authentication hardening) to limit exposure only to trusted administrators. 2) Enforce strong multi-factor authentication (MFA) for all administrator accounts to reduce the risk of credential compromise. 3) Conduct thorough monitoring and logging of all administrative access and file download activities to detect suspicious behavior promptly. 4) Review and harden file permissions on the server to ensure that only necessary files are accessible by the web application user, minimizing the scope of files that can be read or downloaded. 5) Consider deploying web application firewalls (WAFs) with custom rules to detect and block abnormal requests targeting admin_safe.php. 6) Engage with SeaCMS vendors or community to track the release of official patches or updates addressing this vulnerability and plan for timely deployment. 7) Perform regular security assessments and penetration testing focusing on authenticated administrator functionalities to identify similar risks.