CVE-2025-66386 is a path traversal vulnerability identified in the MISP (Malware Information Sharing Platform & Threat Sharing) software before version 2.5.27. The vulnerability resides in the app/Model/EventReport.php file, specifically within the functionality that handles viewing pictures associated with events. A path traversal flaw allows an attacker with site-admin privileges to manipulate the file path parameters to access files outside the intended directory scope. This can lead to unauthorized reading of arbitrary files on the server hosting MISP, potentially exposing sensitive information stored on the system. Since exploitation requires site-admin privileges, the attack surface is limited to trusted users or accounts that have been compromised. No public exploits have been reported, and no CVSS score has been assigned as of the publication date. The vulnerability was reserved and published on November 28, 2025. MISP is widely used by security teams and CERTs (Computer Emergency Response Teams) for sharing cyber threat intelligence, making the confidentiality of stored data critical. The lack of a patch link suggests that users should upgrade to version 2.5.27 or later, where this issue is presumably fixed. The vulnerability does not appear to allow remote code execution or privilege escalation beyond the site-admin role but can undermine data confidentiality and trust in the platform.

For European organizations, the impact of CVE-2025-66386 primarily concerns the confidentiality of sensitive threat intelligence data stored within MISP instances. Unauthorized file access could expose internal reports, indicators of compromise, or other classified information shared among trusted partners. This could lead to intelligence leaks, undermining incident response efforts and potentially aiding adversaries. Since exploitation requires site-admin privileges, the risk is heightened if site-admin accounts are compromised or if malicious insiders exist. Availability and integrity impacts are limited, as the vulnerability does not enable direct modification or deletion of data or denial of service. However, the breach of confidentiality alone can have serious consequences for organizations involved in cybersecurity operations, especially those in critical infrastructure sectors or government agencies. The threat is more acute for organizations that heavily rely on MISP for collaborative defense and have not yet updated to the fixed version.

1. Upgrade all MISP instances to version 2.5.27 or later immediately to ensure the vulnerability is patched. 2. Restrict site-admin privileges strictly to trusted personnel and enforce strong authentication mechanisms, such as multi-factor authentication (MFA), to reduce the risk of account compromise. 3. Conduct regular audits of site-admin accounts and their activities to detect any unauthorized access or suspicious behavior. 4. Implement network segmentation and access controls to limit exposure of MISP servers to only necessary users and systems. 5. Monitor logs for unusual file access patterns or attempts to exploit path traversal vectors. 6. Educate site-admin users about the risks of phishing and credential theft to prevent privilege escalation. 7. If upgrading immediately is not feasible, consider applying temporary access restrictions or disabling picture viewing features for site-admins until a patch is applied.