CVE-2025-8054 is a path traversal vulnerability classified under CWE-22 affecting OpenText™ XM Fax version 24.2. The vulnerability stems from improper validation and limitation of pathname inputs, allowing an attacker to traverse directories beyond the intended restricted directory. This enables arbitrary disclosure of local filesystem files, potentially exposing sensitive configuration files, credentials, or other confidential data stored on the server hosting XM Fax. The vulnerability requires the attacker to have limited privileges (PR:L) but does not require user interaction or higher authentication levels. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required beyond limited (PR:L), no user interaction (UI:N), and high impact on confidentiality (C:H) with no impact on integrity or availability. The vulnerability is currently published with no known exploits in the wild, but the potential for data leakage is significant given the nature of the flaw. XM Fax is widely used in enterprise environments for secure fax communications, making this vulnerability a critical concern for organizations relying on this product for sensitive document transmission. The lack of a patch link suggests that a fix is either pending or not yet publicly released, emphasizing the need for interim mitigations.

The primary impact of CVE-2025-8054 is the unauthorized disclosure of sensitive information stored on the local filesystem of systems running OpenText XM Fax 24.2. This can lead to exposure of confidential business documents, user credentials, configuration files, or other sensitive data, potentially facilitating further attacks such as privilege escalation or lateral movement within the network. Since the vulnerability can be exploited remotely over the network with limited privileges and no user interaction, it poses a significant risk to organizations worldwide. The confidentiality breach could result in regulatory compliance violations, intellectual property theft, and damage to organizational reputation. While integrity and availability are not directly impacted, the loss of confidentiality alone is critical in environments handling sensitive communications. The scope includes all instances of XM Fax 24.2 accessible over the network, especially those exposed to untrusted networks or insufficiently segmented internal networks.

1. Immediately restrict network access to the OpenText XM Fax service to trusted internal networks only, using firewalls and network segmentation. 2. Implement strict access controls and least privilege principles for users and services interacting with XM Fax to minimize the risk of exploitation by low-privilege attackers. 3. Monitor system and application logs for unusual file access patterns or attempts to access unauthorized directories. 4. Disable or limit features that allow user-supplied input for file paths until a patch is available. 5. Engage with OpenText support to obtain or expedite patches or hotfixes addressing CVE-2025-8054. 6. Conduct a thorough review of sensitive files and credentials stored on XM Fax servers and rotate credentials if exposure is suspected. 7. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect path traversal attempts targeting XM Fax. 8. Educate system administrators and security teams about this vulnerability and ensure incident response plans include steps for path traversal exploitation scenarios.