CVE-2025-5296

CWE-59: Improper Link Resolution Before File Access ('Link Following') vulnerability exists that could cause arbitrary data to be written to protected locations, potentially leading to escalation of privilege, arbitrary file corruption, exposure of application and system information or persistent denial of service when a low-privileged attacker tampers with the installation folder.

CVSS v3 7.3 HIGH

7.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.5

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-224-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-224-03.pdf

Configurations

No configuration.

History

18 Aug 2025, 20:16

Type	Values Removed	Values Added
Summary		(es) CWE-59: Existe una vulnerabilidad de resolución de enlace incorrecta antes del acceso a archivos ('Seguimiento de enlace') que podría provocar que se escriban datos arbitrarios en ubicaciones protegidas, lo que podría llevar a una escalada de privilegios, corrupción arbitraria de archivos, exposición de información de aplicaciones y sistemas o denegación persistente de servicio cuando un atacante con pocos privilegios manipula la carpeta de instalación.

18 Aug 2025, 08:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-18 08:15

Updated : 2025-08-18 20:16

NVD link : CVE-2025-5296

Mitre link : CVE-2025-5296

CVE.ORG link : CVE-2025-5296

JSON object : View

Products Affected

No product.

CWE

CWE-59

Improper Link Resolution Before File Access ('Link Following')

{"id": "CVE-2025-5296", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cybersecurity@se.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 5.5, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "cybersecurity@se.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.0, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-18T08:15:27.820", "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-224-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-224-03.pdf", "source": "cybersecurity@se.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "cybersecurity@se.com", "description": [{"lang": "en", "value": "CWE-59"}]}], "descriptions": [{"lang": "en", "value": "CWE-59: Improper Link Resolution Before File Access ('Link Following') vulnerability exists that could cause \narbitrary data to be written to protected locations, potentially leading to escalation of privilege, arbitrary file \ncorruption, exposure of application and system information or persistent denial of service when a low-privileged \nattacker tampers with the installation folder."}, {"lang": "es", "value": "CWE-59: Existe una vulnerabilidad de resoluci\u00f3n de enlace incorrecta antes del acceso a archivos ('Seguimiento de enlace') que podr\u00eda provocar que se escriban datos arbitrarios en ubicaciones protegidas, lo que podr\u00eda llevar a una escalada de privilegios, corrupci\u00f3n arbitraria de archivos, exposici\u00f3n de informaci\u00f3n de aplicaciones y sistemas o denegaci\u00f3n persistente de servicio cuando un atacante con pocos privilegios manipula la carpeta de instalaci\u00f3n."}], "lastModified": "2025-08-18T20:16:28.750", "sourceIdentifier": "cybersecurity@se.com"}