CVE-2025-60805 is a vulnerability identified in the BESSystem BES Application Server versions through 9.5.x. The issue arises from improper access control related to the 'pre-resource' option within the bes-web.xml configuration file. This misconfiguration or design flaw allows unauthorized remote attackers to retrieve sensitive information without requiring any authentication or user interaction. The vulnerability is remotely exploitable over the network (AV:N) with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The scope is unchanged (S:U), meaning the impact is confined to the vulnerable component. The confidentiality impact is high (C:H), indicating that sensitive data can be disclosed, but integrity and availability remain unaffected (I:N, A:N). This vulnerability falls under CWE-200, which involves exposure of sensitive information to unauthorized parties. Although no patches or known exploits are currently available, the high CVSS score of 7.5 reflects the seriousness of the issue. Organizations relying on BESSystem BES Application Server should prioritize assessing their exposure and implementing mitigations to prevent data leakage.

For European organizations, the primary impact is the unauthorized disclosure of sensitive information, which could include configuration details, credentials, or other critical data stored or referenced in bes-web.xml. This exposure can lead to further attacks such as lateral movement, privilege escalation, or targeted espionage. Confidentiality breaches can result in regulatory non-compliance, especially under GDPR, leading to legal and financial penalties. The lack of impact on integrity and availability reduces the risk of service disruption but does not diminish the severity of information leakage. Organizations in sectors with high-value data or critical infrastructure are particularly at risk. The absence of known exploits currently provides a window for proactive defense, but the ease of exploitation and network accessibility make rapid mitigation essential.

Since no official patches are currently available, European organizations should immediately audit their BESSystem BES Application Server deployments to identify affected versions. Restrict network access to the BES Application Server, especially limiting exposure of management interfaces and configuration files to trusted internal networks only. Implement strict access controls and firewall rules to prevent unauthorized external access. Review and harden the bes-web.xml configuration, removing or securing the 'pre-resource' option if possible. Monitor network traffic and logs for any suspicious access attempts targeting the bes-web.xml or related resources. Engage with the vendor for updates and apply patches promptly once released. Additionally, consider deploying web application firewalls (WAFs) with custom rules to block attempts to access sensitive configuration files. Conduct regular security assessments and penetration tests to verify the effectiveness of mitigations.