CVE-2025-8054 is a path traversal vulnerability classified under CWE-22 found in OpenText™ XM Fax version 24.2. The vulnerability arises from improper limitation of pathnames to restricted directories, allowing attackers to craft requests that traverse directories and access files outside the intended scope. This flaw enables an attacker to arbitrarily disclose contents of files on the local filesystem, potentially exposing sensitive information such as configuration files, credentials, or other confidential data. The vulnerability has a CVSS 4.0 base score of 7.1, indicating high severity. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:L - low privileges), no user interaction (UI:N), and high impact on confidentiality (VC:H). The vulnerability does not impact integrity or availability. The scope remains unchanged (S:N), and the exploitability rating is medium (RE:M). No known exploits have been reported in the wild yet, but the potential for information disclosure is significant. The vulnerability affects only version 24.2 of XM Fax, a product used for secure fax transmission and management in enterprise environments. The issue was reserved in July 2025 and published in February 2026. The lack of patch links suggests that a fix may be forthcoming or in development.

The primary impact of CVE-2025-8054 is unauthorized disclosure of sensitive information stored on systems running OpenText XM Fax 24.2. Attackers exploiting this vulnerability can read arbitrary files, which may include system configuration files, user credentials, encryption keys, or other confidential data. This breach of confidentiality can lead to further attacks such as privilege escalation, lateral movement, or data exfiltration. Since XM Fax is often deployed in enterprise and government environments for secure document transmission, exposure of sensitive fax data or system files could have serious operational and reputational consequences. The vulnerability does not directly affect system integrity or availability, but the information gained could facilitate more damaging attacks. Organizations worldwide using this product version are at risk, especially those with sensitive communications or regulatory compliance requirements. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability’s network accessibility and low complexity make it a significant threat once exploited.

To mitigate CVE-2025-8054, organizations should first verify if they are running OpenText XM Fax version 24.2 and prioritize upgrading to a patched version once available from the vendor. Until a patch is released, implement strict network segmentation and firewall rules to restrict access to the XM Fax service only to trusted internal users and systems. Employ application-layer filtering or web application firewalls (WAFs) to detect and block path traversal attempts by monitoring for suspicious input patterns such as '../' sequences. Review and harden file system permissions to ensure the XM Fax service account has the minimum necessary access, preventing it from reading sensitive files outside its operational scope. Conduct regular audits and monitoring of file access logs for unusual activity indicative of exploitation attempts. Additionally, consider deploying intrusion detection systems (IDS) with signatures for path traversal attacks. Engage with OpenText support for guidance and subscribe to their security advisories to receive timely updates. Finally, educate administrators and security teams about this vulnerability to ensure rapid response and containment.