CVE-2025-66955 is a Local File Inclusion vulnerability identified in Asseco SEE Live 2.0, specifically within its Contact Plan, E-Mail, SMS, and Fax components. The flaw arises from insufficient validation of the 'path' parameter in the downloadAttachment and downloadAttachmentFromPath API calls, which are designed to retrieve attachments. Remote attackers who have authenticated access to the system can exploit this vulnerability by supplying crafted input to the 'path' parameter, enabling them to read arbitrary files on the host server. This can include sensitive configuration files, credentials, or other critical data stored on the system. The vulnerability does not require user interaction beyond authentication, but it does require valid credentials, limiting exploitation to insiders or attackers who have compromised user accounts. No CVSS score has been assigned yet, and no patches or mitigations have been officially released. The lack of known exploits in the wild suggests it is either newly discovered or under limited attack. However, the potential for data leakage and subsequent attacks makes this a significant concern for organizations using Asseco SEE Live 2.0. The vulnerability highlights the need for robust input validation and strict access controls on API endpoints handling file operations.

The primary impact of CVE-2025-66955 is unauthorized disclosure of sensitive information due to Local File Inclusion. Attackers with authenticated access can read arbitrary files on the server, potentially exposing credentials, private keys, configuration files, or personal data. This can lead to further compromise, including privilege escalation, lateral movement within the network, or data breaches. The vulnerability undermines confidentiality and could indirectly affect integrity if attackers leverage disclosed information to modify system behavior. Availability impact is minimal unless attackers use disclosed data to disrupt services. Organizations relying on Asseco SEE Live 2.0 for communication workflows (Contact Plan, E-Mail, SMS, Fax) may face operational risks if sensitive data is exposed or if trust in communication security is eroded. The requirement for authentication limits the attack surface but does not eliminate risk, especially in environments with weak credential management or insider threats.

To mitigate CVE-2025-66955, organizations should immediately restrict access to the affected API endpoints (downloadAttachment and downloadAttachmentFromPath) to only trusted and necessary users. Implement strict input validation and sanitization on the 'path' parameter to prevent directory traversal and file inclusion attacks. Employ the principle of least privilege for user accounts with access to these APIs, and enforce strong authentication mechanisms such as multi-factor authentication (MFA). Monitor logs for unusual access patterns or attempts to access unauthorized files via these endpoints. Network segmentation can limit exposure of the vulnerable service. If possible, disable or isolate the vulnerable components until a vendor patch is available. Regularly check for updates from Asseco and apply security patches promptly once released. Conduct security audits and penetration testing focused on file inclusion and API security to identify and remediate similar issues proactively.