CVE-2025-60949 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting Census CSWeb version 8.0.1. The root cause is that the 'app/config' directory is accessible over HTTP in some deployments, allowing unauthenticated remote attackers to directly request and retrieve configuration files. These files often contain sensitive secrets such as database credentials, API keys, or other confidential configuration data. Because the vulnerability requires no authentication, no user interaction, and can be exploited remotely, it poses a significant risk. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N) reflects that the attack vector is network-based, with low attack complexity, no privileges or user interaction needed, and high impact on confidentiality and integrity. The vulnerability was publicly disclosed on March 23, 2026, and fixed in the 8.1.0 alpha release of Census CSWeb. Although no exploits are known in the wild, the ease of exploitation and the nature of leaked data make this a critical security issue. Organizations running the vulnerable version should prioritize upgrading and apply access controls to prevent unauthorized HTTP access to sensitive directories.

The exposure of configuration files containing sensitive secrets can have severe consequences for organizations worldwide. Attackers gaining access to database credentials or API keys can escalate attacks, leading to data breaches, unauthorized data manipulation, or lateral movement within networks. Confidentiality is severely compromised, and integrity may also be affected if attackers use leaked credentials to alter data or system configurations. The availability impact is minimal but could arise indirectly if attackers leverage the information to disrupt services. Because the vulnerability requires no authentication and no user interaction, it can be exploited at scale, increasing the risk of widespread compromise. Organizations relying on Census CSWeb 8.0.1 in critical infrastructure, government, or enterprise environments face heightened risks of data leakage and subsequent cyberattacks.

1. Upgrade Census CSWeb to version 8.1.0 or later where the vulnerability is fixed. 2. Immediately restrict HTTP access to the 'app/config' directory using web server configuration rules (e.g., deny all access or require authentication). 3. Implement network-level controls such as firewalls or reverse proxies to block unauthorized external access to sensitive paths. 4. Conduct an audit of all configuration files to identify and rotate any leaked secrets or credentials. 5. Employ web application firewalls (WAFs) with rules to detect and block attempts to access configuration files. 6. Review deployment practices to ensure sensitive files are never exposed via HTTP or other public interfaces. 7. Monitor logs for suspicious requests targeting configuration paths to detect exploitation attempts early. 8. Educate development and operations teams on secure configuration management and the risks of exposing sensitive files.