CVE-2025-68462 identifies a vulnerability in Debian FreedomBox, an open-source personal server platform, where versions before 25.17.1 fail to set correct permissions on the backups-data directory. This directory contains database dump files that, due to improper permission assignment (CWE-732), can be read by unauthorized local users. The vulnerability is classified under CWE-732, which involves incorrect permission assignment for critical resources, leading to potential unauthorized information disclosure. The CVSS 3.1 base score is 3.2, reflecting low severity, with an attack vector limited to local access (AV:L), high attack complexity (AC:H), no privileges required (PR:N), and no user interaction (UI:N). The scope is changed (S:C) because the vulnerability affects resources beyond the immediate security scope. The impact is limited to confidentiality (C:L) with no impact on integrity or availability. No known exploits have been reported in the wild, indicating limited current threat activity. The vulnerability could allow local attackers to read sensitive backup data, potentially exposing confidential information stored in database dumps. FreedomBox is used primarily by privacy-conscious individuals and small organizations, often in Europe, for personal cloud and server services. The vulnerability underscores the importance of strict permission management on backup data to prevent unauthorized access. The issue can be remediated by updating to FreedomBox version 25.17.1 or later, which corrects the permission settings.

The primary impact of CVE-2025-68462 is unauthorized local disclosure of sensitive data contained within database backup files on FreedomBox systems. For European organizations using FreedomBox as a personal or small-scale server solution, this could lead to leakage of confidential information, potentially including user data, configuration details, or other sensitive content stored in databases. Although the vulnerability requires local access and has high attack complexity, insider threats or attackers who have gained limited local foothold could exploit it. The lack of impact on integrity and availability limits the scope to confidentiality concerns. In sectors where data privacy is critical, such as healthcare, legal, or governmental organizations using FreedomBox, this exposure could contravene data protection regulations like GDPR. The vulnerability does not currently appear to be exploited in the wild, reducing immediate risk, but the presence of sensitive backup data makes it a target for attackers with local access. Overall, the impact is moderate for organizations with strict confidentiality requirements but low for general users without sensitive data or local threat exposure.

1. Upgrade FreedomBox installations to version 25.17.1 or later as soon as the patch is available to ensure correct permission settings on the backups-data directory. 2. Conduct an immediate audit of file system permissions on backup directories to verify that only authorized users have read access. 3. Restrict local user accounts and enforce the principle of least privilege to minimize the risk of unauthorized local access. 4. Implement monitoring and alerting for unusual local access to backup directories or database dump files. 5. Consider encrypting backup files at rest to add an additional layer of protection in case of unauthorized access. 6. Review and harden FreedomBox configurations related to user access and backup management. 7. Educate users and administrators about the risks of local access vulnerabilities and the importance of timely patching. 8. If FreedomBox is deployed in multi-user or shared environments, isolate backup storage using access control mechanisms or containerization to reduce exposure.