CVE-2025-60949 is a critical security vulnerability identified in Census CSWeb version 8.0.1, categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The vulnerability stems from the fact that the "app/config" directory is accessible over HTTP in certain deployments without requiring authentication. This misconfiguration or design flaw allows remote attackers to send crafted HTTP requests to retrieve sensitive configuration files containing secrets such as database credentials, API keys, or other confidential information. The vulnerability is exploitable remotely without any user interaction or privileges, making it highly accessible to attackers. The CVSS 4.0 base score of 9.3 reflects the critical nature of this exposure, highlighting high impact on confidentiality and integrity, while availability remains unaffected. The vulnerability was publicly disclosed on March 23, 2026, and has been fixed in Census CSWeb version 8.1.0 alpha. Although no exploits have been reported in the wild yet, the straightforward nature of the attack vector and the sensitivity of the leaked data pose significant risks. Organizations running the affected version must prioritize patching and implement access controls to prevent unauthorized HTTP access to configuration directories. Additionally, auditing existing deployments for exposure and monitoring network traffic for suspicious requests targeting the "app/config" path are recommended to detect potential exploitation attempts.

The impact of CVE-2025-60949 is substantial for organizations using Census CSWeb 8.0.1. Unauthorized disclosure of configuration files can lead to leakage of sensitive secrets such as database credentials, encryption keys, or API tokens. This exposure can enable attackers to escalate privileges, move laterally within networks, exfiltrate data, or disrupt operations by manipulating backend systems. The vulnerability affects confidentiality and integrity severely, as attackers can gain unauthorized access to critical information and potentially alter configurations or data. Since exploitation requires no authentication or user interaction, the attack surface is broad, increasing the likelihood of compromise. Organizations in sectors relying on Census CSWeb for critical web applications or data processing may face operational disruptions, reputational damage, regulatory penalties, and financial losses. The absence of known exploits in the wild currently reduces immediate risk but does not diminish the urgency for remediation, as attackers may develop exploits rapidly given the vulnerability's simplicity and severity.

To mitigate CVE-2025-60949 effectively, organizations should: 1) Immediately upgrade Census CSWeb installations to version 8.1.0 or later where the vulnerability is fixed. 2) Restrict HTTP access to the "app/config" directory by configuring web server rules (e.g., using .htaccess, NGINX location blocks, or firewall rules) to deny all external requests to configuration paths. 3) Implement network segmentation and access controls to limit exposure of internal management interfaces. 4) Conduct thorough audits of all Census CSWeb deployments to identify and remediate any instances where configuration files are publicly accessible. 5) Monitor web server logs and network traffic for suspicious requests targeting configuration directories to detect potential exploitation attempts early. 6) Employ web application firewalls (WAFs) with rules blocking access to sensitive paths. 7) Review and rotate any secrets or credentials that may have been exposed prior to remediation to prevent misuse. 8) Educate development and operations teams about secure deployment practices to avoid similar misconfigurations in the future.